A few years ago, a FireFox plugin was created called FireSheep. This tool was designed to sniff network traffic looking for common websites that were being visited over HTTP. HTTP sends the traffic between your system and the server in clear text. If it found a request/response of an authenticated user, it would capture the session cookie and allow the user of FireSheep to hijack the current session. While the site most likely performed the initial authentication with the … [Read more...] about Is HTTP being left behind for HTTPS?
General
Input Validation: Keep It Simple
Attackers take advantage of an application by manipulating the inputs to the system. For example, a first name field or even a request header like the user-agent. Applications wouldn't be very useful if they didn't accept any input from the end user. Unfortunately, this is the key attack vector. One of the basic techniques used to help protect a system is to us input validation, which assesses the input to determine if it is should be accepted. Many development groups have fought with the … [Read more...] about Input Validation: Keep It Simple
Black Lists and White Lists: Overview
I came across an interesting post on twitter the other day (https://twitter.com/suffert/status/567486188383379456) that depicts a sidewalk with a sign indicating what wasn't allowed on the sidewalk. You have seen these before: NO bicycles, skateboards, rollerblades, roller skates, scooters. In the information technology sector, this is known as a black list; a list that defines what is NOT allowed or permitted. You can see black lists all over the place, input validation, output encoding, … [Read more...] about Black Lists and White Lists: Overview
Sensitive Data and Storage Issues
Do you know what constitutes sensitive data in your organization? How about in your state or industry? As developers or business analysts we often do not follow the nitty gritty details of sensitive information regulations or laws. Not that we don't want to enforce them, but often times I think we often just don't know about them. It is often thought that the CIO, CISO or a privacy officer is responsible for understanding our data and to what level it needs to be protected. I completely … [Read more...] about Sensitive Data and Storage Issues
Welcome
Welcome to the brand new DevelopSec website. The goal of this site is to provide useful information for IT professionals to help develop better security practices. All too often, we see that there are professionals that are working very hard to create great products, but do not have the security information they need. Breaches are happening every day and many wonder why it matters. We hope to make an impact and show how we can learn from the breaches or other security incidents that occur so … [Read more...] about Welcome