AppSec Blog

Seven Tips for Picking a Static Analysis Tool

Stephen J, who is a member of our software security mailing list, asked a while back, "Do you have any recommendations on static source code scanners?" James Jardine and I started talking and came up with the following tips. There are so many commercial static analysis tools from vendors like Armorize, Checkmarx, Coverity, Fortify (HP), … Continue reading Seven Tips for Picking a Static Analysis Tool


Apple's iCloud: Thoughts on Security and the Storage APIs

This is a guest post from security researcher Nitesh Dhanjani which follows his previous iOS articles. At the 2011 World Wide Developer Conference in San Francisco, Steve Jobs revealed his vision for Apple's iCloud: to demote the desktop as the central media hub and to seamlessly integrate the user's experience across devices. Apple's iCloud service … Continue reading Apple's iCloud: Thoughts on Security and the Storage APIs


Real and useful security help for software developers

There's lots of advice on designing and building secure software. All you need to do is: Think like an attacker. Minimize the Attack Surface. Apply the principles of Least Privilege and Defense in Depth and Economy of Mechanism. Canonicalize and validate all input. Encode and escape output within the correct context. Use encryption properly. Manage … Continue reading Real and useful security help for software developers


Dealing with security vulnerabilities ... er... bugs

A serious problem in many organizations is that the relationship between security and development is marred by blame, mistrust, evasion and lack of understanding. One result of this is that development teams (and their business sponsors) don't take ownership for understanding and managing software security risks, and often try to ignore vulnerabilities or hide them. … Continue reading Dealing with security vulnerabilities ... er... bugs


Commenting Server Controls in ASP.Net

How often do you just use an HTML comment to remove old code, or new functionality that isn't ready yet? Are HTML comments effective for ASP.Net server controls? From a pure development context, they probably are. When we factor in security, they no longer provide the functionality that was intended. This post will explain an … Continue reading Commenting Server Controls in ASP.Net