Laying a foundation for developer security training is not an easy task. Those of us that have worked in the information security world long enough have seen the roadblocks: Development teams do not have enough time The project does not provide enough funding The organization does not have the expertise to create a training program … Continue reading Developer Security Awareness: Why Do We Care?
Continuously ranked in the OWASP Top Ten, a large majority of the development community still doesn't understand Cross-Site Request Forgery (CSRF). After years of penetration tests and code reviews, my experiences show that a high percentage of applications, especially new applications, do not have proper CSRF protections in place. This post provides a refresher on … Continue reading Demystifying Cross-Site Request Forgery
To address security defects developers typically resort to fixing design flaws and security bugs directly in their code. Finding and fixing security defects can be a slow, painstaking, and expensive process. While development teams work to incorporate security into their development processes, issues like Cross-Site Scripting (XSS) continue to plague many commonly used applications. In … Continue reading How to Prevent XSS Without Changing Code
We are excited to announce the new WhatWorks in Application Security Poster! The front side of the poster focuses on why application security is important to any organization and the critical steps needed to make an application security program successful, including: Design: Review security requirements, security architecture, secure coding standards, and the tools your team … Continue reading WhatWorks in Application Security Poster
Steve Kosten is an instructor with the SANS Institute for DEV541: Secure Coding in Java/JEE. Password Storage Mistakes I was visiting a web site recently that I haven't visited in many, many years. I tried a few old passwords I used to use before I started using a password storage system, but no luck. I … Continue reading Password Storage Mistakes