AppSec Blog: Author - Jason Lam

GWEB - Web Application Security Certification

GIAC is launching a new certification for developers and application security professionals involved in defending web applications. As the author of the corresponding course DEV522, I was invited to beta test the exam. So, while I have a related interest, this isn't my baby. This certification exam is fantastic - it is tough. To pass … Continue reading GWEB - Web Application Security Certification


HTTP headers fun

Cross posted from SANS ISC Not sure if you have seen our latest pet project - HTTP Headers. This is ISC's effort to track HTTP response headers by major sites on the Internet. Our main goal at this point is to monitor the use of security related headers. However, we are collecting all headers in … Continue reading HTTP headers fun


Exchanging and sharing of assessment results

[Cross posted from SANS ISC] Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure/application. The need to exchange test result information is also increasing substantially. External parties ranging from business partners, clients to regulators may … Continue reading Exchanging and sharing of assessment results


Top 25 Series - Rank 23 - Open Redirect

Open redirect (CWE-601) allows phishing attack to be more effective. Redirection is commonly used within all web applications for various purposes. From the login page, it is a common practice to redirect the user to another page once the user logs in. Sometimes the user goes directly to a content page and is redirected to … Continue reading Top 25 Series - Rank 23 - Open Redirect


Top 25 Series - Rank 21 - Incorrect Permission Assignment for Critical Response

Incorrect Permission Assignment for Critical Response (CWE-732) is a complicated name for a problem that is easy to understand. If you don't go out of the way to do a few steps to secure your resources, they are probably not secured by default. Often enough in development, the responsibility to secure resources and components of … Continue reading Top 25 Series - Rank 21 - Incorrect Permission Assignment for Critical Response