Application security should be on the mind of anyone that is part of the application design/build process. That means architects, developers, application owners, QA testers, business analysts and even end users. Everyone of these positions plays a role in the security of the applications. Depending on the organization, the roles can be quite different. You must understand the roles of these positions from a development perspective to really understand how they fit into the security aspect … [Read more...] about SDLC: Understanding your Roles
developer
Beware the Edge Cases: Master the Fundamentals
Have you seen some of the cool things that hackers can do? I remember a few years back when they created the BlueSniper Rifle, a device that could allow picking up a BlueTooth signal from up to a mile away. That is pretty impressive for a technology that was meant to be used at a distance of just a few meters. This is just one example of ways that hackers have found ways to bypass the limits of a technology. Some of these things you may have never heard of, whereas some are picked up by the … [Read more...] about Beware the Edge Cases: Master the Fundamentals
Amazon XSS: Thoughts and Takeaways
It was recently identified, and Amazon was quick (2 days) to fix it, that one of their sites was vulnerable to cross-site scripting. Cross-site scripting is a vulnerability that allows an attacker to control the output in the user's browser. A more detailed look into cross-site scripting can be found on the OWASP site. Take-Aways QA could have found this Understand your input validation routines Check to make sure the proper output encoding is in place in every location user supplied … [Read more...] about Amazon XSS: Thoughts and Takeaways
Is HTTP being left behind for HTTPS?
A few years ago, a FireFox plugin was created called FireSheep. This tool was designed to sniff network traffic looking for common websites that were being visited over HTTP. HTTP sends the traffic between your system and the server in clear text. If it found a request/response of an authenticated user, it would capture the session cookie and allow the user of FireSheep to hijack the current session. While the site most likely performed the initial authentication with the … [Read more...] about Is HTTP being left behind for HTTPS?
Input Validation: Keep It Simple
Attackers take advantage of an application by manipulating the inputs to the system. For example, a first name field or even a request header like the user-agent. Applications wouldn't be very useful if they didn't accept any input from the end user. Unfortunately, this is the key attack vector. One of the basic techniques used to help protect a system is to us input validation, which assesses the input to determine if it is should be accepted. Many development groups have fought with the … [Read more...] about Input Validation: Keep It Simple
3rd Party CMS Security
One of the easiest ways to get content available on the Internet is to use a 3rd party content management system (CMS). These systems vary and are usually fairly simple to set up. There is no requirement for any technical knowledge and you can have content up and available within minutes in some cases. No need for that pesky HTML coding or web site management. One of the most common CMS platforms is WordPress (https://wordpress.com). Of course there are many other systems available, but it … [Read more...] about 3rd Party CMS Security