Does your application have a login form? Do you deliver it over HTTPS to protect the username and password while being transmitted to the server? If you answered yes to both of those questions, are you sure? Many years ago, before there was a huge push for HTTPS all the time, it was common practice for many applications to load a login form using HTTP, but then submit the form over HTTPS. This was accomplished by setting the action attribute of the form to the full HTTPS version of … [Read more...] about Login Forms and HTTP
security
Does SAST and DAST Really Require Security Experts To Run Them?
There is no argument that automated tools help quickly identify many of the vulnerabilities found in applications today. Tools are typically categorized into one of the following three categories: Dynamic Application Security Testing (DAST) - analyzes the running application. Static Application Security Testing (SAST) - analyzes the source or byte code of the application. Interactive Application Security Testing (IAST) - uses agents installed on the web server to instrument the application … [Read more...] about Does SAST and DAST Really Require Security Experts To Run Them?
How Serious is Username Enumeration
Looking through Twitter recently, I caught a very interesting stream that started with the following message: What's the deal with the enumeration exclusions on all the @bugcrowd bounties. Clients just don't want to fix?— Stephen Haywood (@averagesecguy) July 26, 2016 There were quite a few replies, and a good discussion on the topic of the seriousness of username enumeration flaws. 140 characters is difficult to share a lot of thoughts, so I thought this would actually be … [Read more...] about How Serious is Username Enumeration
Should Password Change Invalidate All Access Tokens?
Passwords are a part of our every day life. It is no wonder they are under such scrutiny, with many breaches focusing on them. We all know how to manage our passwords, or at least we should by now. We know that we should change our passwords every once in a while, especially if we believe they may have been a part of a recent breach. What about those access tokens? Access tokens are typically used by your mobile devices to access your account without the need for you to enter in your username … [Read more...] about Should Password Change Invalidate All Access Tokens?
Understanding the “Why”
If I told you to adjust your seat before adjusting your mirror in your car, would you just do it? Just because I said so, or do you understand why there is a specific order? Most of us retain concepts better when we can understand them logically. Developing applications requires a lot of moving pieces. An important piece in that process is implementing security controls to help protect the application, the company, and the users. In many organizations, security is heavily guided by an … [Read more...] about Understanding the “Why”
ImageMagick – Take-aways
Do your applications accept file uploads? More specifically, image uploads? Do you use a site that allows you to upload images? If you haven't been following the news lately, there was recently a few vulnerabilities found in the ImageMagick image library. This library is very common in websites to perform image processing. The vulnerability allows remote code execution (RCE) on the web server, which is very dangerous. For more specific details on the vulnerability itself, check out this … [Read more...] about ImageMagick – Take-aways