AppSec Blog

AppSec Blog

Cloud Encryption Options - Good for Compliance, Not Great for Security

Guest Editor: Today's post is from David Hazar. David is a security engineer focusing on cloud security architecture, application security, and security training. In this post, David will take a look at the encryption options for applications hosted in the cloud.

Over the last decade, due to new compliance requirements or contractual obligations, many, if not most, companies have been implementing encryption to better protect the sensitive data they are storing and to avoid having to report a breach if an employee loses a laptop or if backup media is lost in the mail. One of the more popular ways of adding this additional protection is to implement some form of volume-based, container-based, or whole-disk encryption. It would be difficult to argue that there is an easier, more cost-effective method to achieve compliance than to utilize this type of encryption. Also, although there are potential weaknesses to some implementations of the technology, it is pretty

...

ASP.NET MVC: Data Validation Techniques

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the data validation features built into the ASP.NET MVC framework.

Data validation is one of the most important aspects of web app development. Investing effort into data validation makes your applications more robust and significantly reduces potential loss of data integrity.

Out of the box, the ASP.NET MVC framework provides full support of special components and mechanisms on both the client side and the server side.

Client-Side Validation
Enabled Unobtrusive JavaScript validation allows ASP.NET MVC HTML helper extensions to generate special markup to perform validation on the client side, before sending data to the server. The feature is controlled by the "UnobtrusiveJavaScriptEnabled" Boolean setting in the section.

Let's have a look at the Register page from the SecureWebApp

...

ASP.NET MVC: Using Identity for Authentication and Authorization

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the authentication and authorization security features built into the ASP.NET MVC framework.

Implementing authentication and authorization mechanisms into a web application with a powerful ASP.NET Identity system has become a trivial task. The ASP.NET system was originally created to satisfy membership requirements, covering Forms Authentication with a SQL Server database for user names, passwords and profile data. It now includes a more substantial range of web application data storage options.

One of the advantages of the ASP.NET system is its two-folded usage: it may be either added to an existing project or configured during the creation of an application. ASP.NET Identity libraries are available

...

2015 State of Application Security: Closing the Gap

The 2015 SANS State of Application Security Analyst Paper and webcasts are complete. This year, Jim Bird, the lead author of the SANS Application Security Survey series, Frank Kim, and I all participated in writing the questions, analyzing the results, drafting the paper, and preparing the webcast material.

In the 2015 survey, we split the survey into two different tracks: defenders and builders. The first track focused on the challenges facing the defenders who are responsible for risk management, vulnerability assessment, and monitoring. The second track focused on the challenges facing the builders responsible for application development, peer reviews, and production support.

Overall, we had 435 respondents, 65% representing the defenders and 35% representing the builders. Based on the results, the communication barriers between defenders and builders are shrinking. But, there is still work that needs to be done:

Defenders and builders are ...

DevOps is Killing Maintenance. Lets Celebrate.

DevOps probably isn't killing developers.

But it is changing how people think about development - from running projects to a focus on building and running services. And more importantly, DevOps is killing maintenance, or sustaining engineering, or whatever managers want to call it. And that's something that we should all celebrate.

High-bandwidth collaboration and rapid response to change in Agile put a bullet in the head of offshore development done by outsourced CMMI Level 5 certified development factories. DevOps, by extending collaboration between development teams and operations teams and by increasing the velocity of delivery to production (up to hundreds or even thousands of times per day), and by using real feedback from production to drive development priorities and design

...