It was just recently announced that Apple will no longer be supporting QuickTime for Windows. Just like any other software, when support has ended, the software becomes a security risk. As a matter of fact, there are current known vulnerabilities in QuickTime that will never get patched. The Department of Homeland Security has an alert recommending removal of QuickTime for Windows. For users, it may seem simple: Uninstall QuickTime from your Windows system. But wait.. what about software … [Read more...] about Reliance on 3rd Party Components
developer security
The Hidden Reason for Switching to HTTPS
If you run a website, you have probably debated on whether or not you need to make the switch to HTTPS instead of using HTTP. For those that still don't know, HTTPS is the encrypted version of HTTP. This is typically seen on banking sites, touted to protect your sensitive information when transmitted between you (your browser) and the application. I wrote on this topic about a year ago in the post: Is HTTP being left behind for HTTPS? Back then there was a big push for making the switch … [Read more...] about The Hidden Reason for Switching to HTTPS
Application Registry: Knowing Your Assets
If an auditor asked you what applications exist on your network, how accurate do you think your answer would be? Do you have a repository or registry of the applications your company maintains? A good application security program starts with knowing what you have. Without this knowledge it is very difficult to understand the risk the applications bring to the company. Depending on the maturity of your application security program, the way that applications are registered can be very … [Read more...] about Application Registry: Knowing Your Assets
Does the End of an Iteration Change Your View of Risk?
You have been working hard for the past few weeks or months on the latest round of features for your flagship product. You are excited. The team is excited. Then a security test identifies a vulnerability. Balloons deflate and everyone starts to scramble. Take a breath. Not all vulnerabilities are created equal and the risk that each presents is vastly different. The organization should already have a process for triaging security findings. That process should be assessing the risk of the … [Read more...] about Does the End of an Iteration Change Your View of Risk?
Sharing with Social Media
Does your application provide a way for users to share their progress or success with others through social media? Are you thinking about adding that feature in the future? Everyone loves to share their stories with their friends and colleagues, but as application developers we need to make sure that we are considering the security aspects of how we go about that. Take-Aways Use the APIs when talking to another service Don't accept credentials to other systems out of your control Check … [Read more...] about Sharing with Social Media
Password Storage Overview
Start reading the news and you are bound to read about another data breach involving user credentials. Whether you get any details about how the passwords (that were stolen) were stored, we can assume that in many of these cases that they were not well protected. Maybe they were stored in clear text (no, it can't be true), or use weak hashes. Passwords hold the key to our access to most applications. What are you doing to help protect them? First, lets just start with recommending that the … [Read more...] about Password Storage Overview