AppSec Blog

AppSec Blog

Developer Security Awareness: What Topics To Cover

In our last post (Is Security Your Top Priority), we discussed improving the security of our organizations with security awareness training for development teams. Now let's talk about the security training we should provide.

What Topics To Cover

All team members have different knowledge levels of the various threats facing our applications. Some have received little or no application security training. Some may have taken a few courses in college that mentioned some common security issues. A few may have received in-depth application security training from a previous employer. The only way to guarantee everyone is on the same page is to establish a common baseline for all team members.

The first step is covering the fundamental aspects of application

...

Developer Security Awareness: Is Security Your Top Priority?

In the last post (Developer Security Awareness: Why Do We Care?), we discussed what we should take away from publicized security events. Let's discuss why we are failing, and what we can do to make it better.

Why are we failing?

Software has become a requirement across all industries in today's world. Every market is included, from finance to travel, industrial, healthcare, retail, entertainment, and many more. Everyone is realizing the benefit of automating tasks and accessing information using laptops and mobile devices from home, the office, or virtually anywhere.

The teams working on these applications are given rigid deadlines and are working long hours to meet the demands of their stakeholders. During these times, security vulnerabilities are accidentally introduced as

...

Developer Security Awareness: Why Do We Care?

Laying a foundation for developer security training is not an easy task. Those of us that have worked in the information security world long enough have seen the roadblocks:


  • Development teams do not have enough time

  • The project does not provide enough funding

  • The organization does not have the expertise to create a training program

  • It's more important to release new features.


Anyone reading this post has likely heard reasons similar to this for not taking action. In this multi-part blog post, we will show you how to get started and what developer security awareness training could look like inside your organization.

What have we learned from the past?

The headlines from the past year alone should be more than enough ammo to convince anyone in your organization that you NEED an application security program.


  • The Heartbleed OpenSSL bug affected web
...

Demystifying Cross-Site Request Forgery

Continuously ranked in the OWASP Top Ten, a large majority of the development community still doesn't understand Cross-Site Request Forgery (CSRF). After years of penetration tests and code reviews, my experiences show that a high percentage of applications, especially new applications, do not have proper CSRF protections in place. This post provides a refresher on CSRF and provides a common defense for this issue.

The Exploit

CSRF occurs when an application trusts that all requests originating from the user's browser are user-directed actions. Imagine that you are logged into your bank's online portal. The application requires users to authenticate and passes a session cookie back to the browser. Subsequent requests made to the banking site must contain the session cookie, allowing the site to identify the user and perform the requested action.

What if an attacker could send a fake request using the victim's browser?

Suppose an attacker wants to

...

How to Prevent XSS Without Changing Code

To address security defects developers typically resort to fixing design flaws and security bugs directly in their code. Finding and fixing security defects can be a slow, painstaking, and expensive process. While development teams work to incorporate security into their development processes, issues like Cross-Site Scripting (XSS) continue to plague many commonly used applications.

In this post we'll discuss two HTTP header related protections that can be used to mitigate the risk of XSS without having to make large code changes.

HttpOnly
One of the most common XSS attacks is the theft of cookies (especially session ids). The HttpOnly flag was created to mitigate this threat by ensuring that Cookie values cannot be accessed by client side scripts like JavaScript. This is accomplished by simply appending "; HttpOnly" to a cookie value. All modern browsers support this flag and will enforce that the cookie cannot be accessed by

...