Resources

Security Learning Opportunity (SLO) – SLO provides a framework to create continuous learning within the application teams.  It creates an opportunity for on-going training that can be performed in under 30 minutes.  It also uses real-world business relevant events.

Podcasts

• Down the Security Rabbithole (#DtSR) – James Jardine, Rafal Los and Michael Santarcangelo discuss current news topics and perform enterprise security interviews.
• DevelopSec – James Jardine discusses security topics topics as they relate to developers, qa analysts and other non-security team members.

Blogs

• Developer Notes – James Jardine blogs about developer (mostly .Net) security topics.
• DevelopSec – Blog about developing security within non-security groups (developers, qa, business, network, general public).

Presentations

• Code on the Beach – Application Security Risks and Exposure – James Jardine presents at Code on the Beach about different application security risks and how it exposes the application and organization.
• InfoSecurity Magazine – [Panel] Achieving Secure Defense in Depth – A discussion with Stephen Gates, Rahim Jina, and James Jardine about application security defense.
• [Panel] When iOS Code is Leaked: How Companies Can Manage App Security – A discussion with Jeanne Morain, Don Cox, and James Jardine about the iOS iBoot code leak.
• How Hacking Changed My Perspective on Creating Applications – James Jardine presents at Code on the Beach 2016 about his experience as a security consultant and how it changes his perspective on creating applications.
• Recharging Penetration Testing to Maximize Value – James Jardine presents at DerbyCon 6 on how we can improve the penetration testing experience and process to improve security.
• Ninja Developers – Application Security Testing and Your SDLC – James Jardine presents at the Louisville ISSA Conference about Application Security Testing and Your SDLC.
  James discusses different tools that developers can use to test their applications for security vulnerabilities during the development phase.
• TMI: Attacking SharePoint Servers – James Jardine and Kevin Johnson present at DerbyCon 3 about assessing SharePoint servers.
• Red Dawn: How Small Groups and Organizations Can Protect Themselves – James Jardine and Kevin Johnson discuss how small organizations are targets for attackers and how they can protect themselves.

In the News

• Pokemon Go Security Concerns on News4Jax.com – James talks about some of the security concerns with Pokemon Go and mobile applications in general.
• Avoiding Social Media Hacks on News4Jax.com – James provides tips on protecting your social media accounts.
• Holiday Hackable Gifts on News4Jax.com – James talks about holiday gifts and their security concerns.
• New Credit Card Technology on News4Jax.com – James talks about the new chip technology in credit cards.
• Credit Card Security on News4Jax.com – James talks about credit card security.
• Summer online safety for kids on News4Jax.com – James talks about keeping your children safe online during the summer.
• Holiday Scams on News4Jax.com – James talks about holiday scams.
• Password Protections on News4Jax.com – James talks about protecting your passwords.

Interviews

• Infosec Career Podcast – James talks with Jason Wood about his career and how he got into security.
• PG Podcast – Using Apple Screen Time to limit time and control content for parents and kids on iPhones and iPads
• Infosecurity Magazine – Parting Shots (Q2 2019 Issue) – Discussing the term CyberSecurity
• Purple Squad Security – Episode 23 – Speaking to Developers with James Jardine
• Startup Security Weekly #46
• Security Guy Radio – Interview at Enfuse 2017 talking about application security.
• EIS Podcast – How to hire qualified application security talent – Part 1 – James discusses some tips to hiring application security talent.
• EIS Podcast – How to hire qualified application security talent – Part 2 – James discusses some tips to hiring application security talent.

Videos

• ViewState XSS: What’s the Deal? – James Jardine walks through tampering with unprotected ViewState to perform a Cross-Site Scripting attack.
• ASP.Net EventValidation: Parameter Tampering – James Jardine walks through manipulating the EventValidation parameter of ASP.Net Webforms when it is not properly protected with ViewStateMac.
• ASP.Net Validation Controls: Don’t Forget Page.IsValid – A quick demonstration of why developers must check the Page.IsValid property.
• Testing for ASP.Net Open Redirect – James gives an example of testing for open redirect on an ASP.Net site.
• Installing Cygwin on Windows – A quick introduction to installing the Cygwin environment on a Windows system.
• Installing RatProxy on Windows – A quick introduction to installing RatProxy on windows. This video builds off of the Cygwin video.
• Laudanum by Example – A quick introduction to the Laudanum tool.

Webcasts

• Application Security: From the Ground Up – James discusses building an application security program and some finer points that must be considered.
• 5 Things to Improve Your Application Security Program – James discusses ways to improve your application security program.
• Introduction to Penetration Testing for Application Teams – James talks about what Penetration Testing is and how the application teams can get involved.
• Ninja Developers: Attack Yourself First – Actively Scanning Your App – James Jardine talks about active scanners developers can use to scan their applications for security
  flaws during the implementation phase.
• Ninja Developers: Discretely Scan Your Functional Testing – James Jardine and Kevin Johnson talk about the passive scanners developers can use to scan their applications
  for security flaws during the implementation phase.

Security Documents

• CSRF Workflow – Workflow describing ASP.Net Webform Cross Site Request Forgery (CSRF) testing.
• HTML Encoding in .Net – Document describing the different .Net methods to HTMLEncode output.

Tools

• FXCop – Analysis tool for managed code assemblies.
• CAT.NET – Code analysis tool for managed assemblies used to identify common attack vectors.
• StyleCop – Code analysis tool for managed assemblies used to identify style and consistency rules.
• Microsoft SDL Regex Fuzzer – Free tool to check regular expressions for being vulnerabile to denial of service (ReDoS). Read more at OWASP
• Microsoft Secure Development Lifecycle Site – This is Microsofts main SDL web page. This page contains important links to the SDL document as well as tools and other resources.
• Web Protection Library – This library is for .Net developers and contains the Anti-XSS library to protect against cross site scripting (XSS).
• Agnitio – This is a tool to help developers and security professionals conduct manual security code reviews.
• Web.Config Security Analyzer (WCSA) – This tool helps identify security configurations in the web.config file.
• AntiSQLi – This library helps developers write secure SQL query code by providing a simple interface.