AppSec Blog: Category - Uncategorized

AppSec Blog:

WhatWorks in Application Security Poster

We are excited to announce the new WhatWorks in Application Security Poster!

The front side of the poster focuses on why application security is important to any organization and the critical steps needed to make an application security program successful, including:

  • Design: Review security requirements, security architecture, secure coding standards, and the tools your team can use to create secure software design from the beginning
  • Test: Methods for testing your applications including dynamic analysis and static analysis tools, plus checklists for evaluating commercial tools and third-party penetration testing firms
  • Fix: Covers code remediation and identifies some products that can be used for virtual patching
  • Govern: Secure SDLC processes, metrics and reporting, and evaluating application security training

On the reverse side, the Securing Web Application Technologies (SWAT) checklist provides an

...

HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested.

http://www.youtube.com/watch?v=fzjpUqMwnoI

 

AppSec at RSA 2012 Conference

I attended the RSA conference last week in San Francisco for the first time, and enjoyed the city. Excellent restaurants like Slanted Door, Canteen, Barbacco and especially Commonwealth, the Wharf, Chinatown, the almost perfect weather.

I was surprised at the scale of the conference, the impressive number of IT security professionals who came from everywhere, and the even more impressive number of technology vendors represented. The exhibition floor was overwhelming: huge booths with their own bars and free drinks, lovely booth bunnies in racing suits and blue wigs, race cars, a robot, a real sumo wrestler, lots of games and contests, even a "beat the freak" - a chance to put on gloves and beat on a salesman. Most of the technology was targeted to the enterprise of course, SIEM systems and enterprise ID management systems, and highly scalable next generation and next next generation firewalls, and lots of endpoint security solutions. And vulnerability scanning technology of

...

Spot the Vuln - Shape

I was scared I was going to have some weird shape to my head and I was pleased that I didn't.
Edward Furlong

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.
...    

Spot the Vuln - Third

Sullivan's Law: When given the choice between two alternatives, always pick the third!
Patrick H. Sullivan

Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try to identify where the security vulnerability is. Every Friday, a solution is posted so you can check your answers. Each exercise is designed to last between 5 and 10 minutes. Do it while you drink your morning coffee and you will be on your way to writing more secure applications.



insert( $ninja_annc_table_name, array( 'begindate' => $ninja_annc_begindate, 'enddate' => $ninja_annc_enddate, 'message' => $ninja_annc_message, 'active' => '0', 'location' => $ninja_annc_location ) );
}else{
$wpdb->update( $ninja_annc_table_name, array( 'begindate'

...