AppSec Blog

Forms Authentication: Remember Me? Its Hard Not Too!

ASP.Net Forms Authentication is a great way to authenticate users for the application. Microsoft has done a really good job at implementing this to make it simple and straightforward for developers. Forms Authentication allows for a user to enter their user name / password combination for an application and have that validated against a backend … Continue reading Forms Authentication: Remember Me? Its Hard Not Too!


What's the point of application pen testing?

Penetration testing is one of the bulwarks of an application security program: get an expert tester to simulate an attack on your system, and see if they can hack their way in. But how effective is application penetration testing, and what should you expect from it? Gary McGraw in Software Security: Building Security In says … Continue reading What's the point of application pen testing?


AppSec at RSA 2012 Conference

I attended the RSA conference last week in San Francisco for the first time, and enjoyed the city. Excellent restaurants like Slanted Door, Canteen, Barbacco and especially Commonwealth, the Wharf, Chinatown, the almost perfect weather. I was surprised at the scale of the conference, the impressive number of IT security professionals who came from everywhere, … Continue reading AppSec at RSA 2012 Conference


Agile Development Teams CAN build secure software

Agile Development Doesn't Create Secure Software questions whether Agile development teams can build secure code. It mostly references a study on small- and medium-sized Agile development teams, which found that Agile teams don't take security seriously even when building systems that are "web-facing and potential targets of attack". This isn't surprising. We already know that … Continue reading Agile Development Teams CAN build secure software


Software Security starts with Software Quality

In Software Security: Building Security In, Cigital's Gray McGraw breaks software security problems down into roughly equal halves. One half of security problems are security design flaws: missing authorization or doing encryption wrong - or not using encryption at all when you are supposed to, not handling passwords properly, not auditing the right data, relying … Continue reading Software Security starts with Software Quality