Over the last several years, threats have moved off the desktop to the application space in growing numbers. These are threats that affect both desktop applications, and now more prominently web/cloud based applications.
By infecting one site an attacker gains access to thousand (or in some cases millions) of end users.
Application security is not the same as having desktop anti-virus – it’s about finding and fixing vulnerabilities in the application themselves.
This is world of SQL Injection, cross site scripting, cross site request forgery, clickjacking and yes even some social engineering.
The Challenge
As application security is both a developer topic as well as a traditional security topic it crossed multiple journalist beats in some cases. There area application security vendors and technologies that target both security and developers and there are those that specific target one or the other.
Understanding who to pitch and when (based on the vendor direction) is key.
Many of techniques and technical issues that affect application security are not as easy to understand as words like virus or worm (see part 4 desktop security) that are common for desktop security. The threats that attack applications are often more technical and involve a deeper level of understanding that some journalists demand.
How to Pitch
There are a number of key application security vendors that can be used as guideposts to finding coverage. HP/SPI Dynamics, IBM Watchfire, Cenzic, Fortify, Core Security and Coverity are among the dozens of vendors in this space that are very active (query: company name).
The types of attacks that these vendors protect against can also be used as keywords to help find coverage targets.
Query: SQL Injection, cross site scripting (XSS), cross site request forgery, clickjacking, buffer overflow
