Attackers take advantage of an application by manipulating the inputs to the system. For example, a first name field or even a request header like the user-agent. Applications wouldn't be very useful if they didn't accept any input from the end user. Unfortunately, this is the key attack vector. One of the basic techniques used to help protect a system is to us input validation, which assesses the input to determine if it is should be accepted. Many development groups have fought with the … [Read more...] about Input Validation: Keep It Simple
security testing
Sensitive Data and Storage Issues
Do you know what constitutes sensitive data in your organization? How about in your state or industry? As developers or business analysts we often do not follow the nitty gritty details of sensitive information regulations or laws. Not that we don't want to enforce them, but often times I think we often just don't know about them. It is often thought that the CIO, CISO or a privacy officer is responsible for understanding our data and to what level it needs to be protected. I completely … [Read more...] about Sensitive Data and Storage Issues
Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways
It was recently announced that there was a flaw identified (and since fixed) in the Verizon API that allowed access to Verizon customer email accounts. The way this worked was that there was an ID parameter with the email account's user ID specified. If a user supplied a different user's ID name, that user's email account would be returned. This is known as an Insecure Direct Object Reference. It was also found that the attacker could not only read another user's email, but also send email … [Read more...] about Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways
MoonPig Take-Aways
It was recently released that there were some security concerns with how the Moonpig, an online greetings card company in the UK, utilizes their API for mobile applications. From the public disclosure of a vulnerability found in their API it may be possible for a user to see other user’s personal information, including last 4 of their credit card number, expiration date and name. This is a great opportunity to look at some of the security issues and how they can be avoided in your … [Read more...] about MoonPig Take-Aways
Welcome
Welcome to the brand new DevelopSec website. The goal of this site is to provide useful information for IT professionals to help develop better security practices. All too often, we see that there are professionals that are working very hard to create great products, but do not have the security information they need. Breaches are happening every day and many wonder why it matters. We hope to make an impact and show how we can learn from the breaches or other security incidents that occur so … [Read more...] about Welcome