AppSec Blog: Author - Frank Kim

Top 25 Series - Rank 10 - Missing Encryption of Sensitive Data

Entry #10 on the CWE/SANS Top 25 is CWE-311: Missing Encryption of Sensitive Data [1]. In a previous post [2] we discussed how we obtained command line access to the server. As a result, we could now conduct any number of malicious activities. But, our primary goal was to retrieve confidential customer information. Navigating around … Continue reading Top 25 Series - Rank 10 - Missing Encryption of Sensitive Data


Top 25 Series - Rank 9 - OS Command Injection

Entry #9 on the new CWE/SANS Top 25 is about OS Command Injection [1]. It's officially called Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection'), but I prefer to keep the title short when describing it. In a previous post [2] we had just gained access to the application by … Continue reading Top 25 Series - Rank 9 - OS Command Injection


Top 25 Series - Rank 19 - Missing Authentication for Critical Function

One of the most blatant examples I've seen of weak or missing authentication occurred with the online dating site SpeedDate.com. For a brief period of time passwords were not even required to log in to the application [1]. All you needed was the user id and a blank password and you would be signed on … Continue reading Top 25 Series - Rank 19 - Missing Authentication for Critical Function


Mobile Application Security Webcast - Win a Free Book

The good folks at iSec Partners have written a new book called "Mobile Application Security" and one of the authors, Chris Clark, will be giving a webcast on that very topic. "The day when everyone has a PC in their pocket has arrived and developers are rushing to create mobile applications to meet demand. This … Continue reading Mobile Application Security Webcast - Win a Free Book


Webcast on Next Gen Application Attacks

I'm really looking forward to a webcast titled "The Porous Castle: Next Generation Application Attacks" by Nitesh Dhanjani. I spoke to Nitesh and he said it was OK for me to say that he'll be revealing details of a very cool zero-day on an extremely well known web site. Nitesh will discuss the impact of … Continue reading Webcast on Next Gen Application Attacks