AppSec Blog: Author - Frank Kim

How Not to Store Passwords in iOS

The WordPress iOS App I was looking for an open source iOS application and quickly came across the WordPress app. Once you log in to your WordPress blog via the app your credentials are then stored on the device itself. If done correctly this is not necessarily a bad thing. However, the WordPress app's implementation … Continue reading How Not to Store Passwords in iOS


Seven Security (Mis)Configurations in Java web.xml Files

There are a lot of articles about configuring authentication and authorization in Java web.xml files. Instead of rehashing how to configure roles, protect web resources, and set up different types of authentication let's look at some of the most common security misconfigurations in Java web.xml files. 1) Custom Error Pages Not Configured By default Java … Continue reading Seven Security (Mis)Configurations in Java web.xml Files


Hacking, Reviewing, and Fixing a Real-World Open Source Web App

A few weeks ago I finished a big update to Secure Coding in Java/JEE (DEV541) which has a new day dedicated to hacking, reviewing, and fixing the code of a real-world open source web application written in Java. It's an introduction to security in the SDLC and is similar to the "Capture and Defend the … Continue reading Hacking, Reviewing, and Fixing a Real-World Open Source Web App


Free AppSec Webcasts

Here are some recent appsec webcasts for your viewing pleasure: - Web Application Threats: Combining XSS and CSRF to own the world! Kevin Johnson covers Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Specifically, "how they can be used to exploit users and applications, how to find them and what their combined power can accomplish." … Continue reading Free AppSec Webcasts


Hard-Coded Password in Critical SCADA Software

Wired reports that a new piece of malware is using a hard-coded password in Siemens' Simantic WinCC SCADA system to access the underlying MS SQL Server database which contains information used to manage critical utilities and manufacturing facilities. The article quotes Joe Weiss as saying "Well over 50 percent of the control system suppliers" have … Continue reading Hard-Coded Password in Critical SCADA Software