AppSec Blog

REST Security Protections

Greg Leonard is an instructor with the SANS Institute for DEV541: Secure Coding in Java/JEE. REST Security Protections Representational State Transfer (REST) has become popular in modern web application development. They take advantage of HTTP, a well established web communication protocol, and provide a simple-to-understand framework for delivering a flexible and highly performant content delivery … Continue reading REST Security Protections


The Google Cross-Site Scripting Challenge

If you didn't know already, Google takes its application security seriously, especially when it comes to Cross-Site Scripting. They already have a Vulnerability Rewards Program and XSS Learning Documentation posted on their application security site. A few weeks ago, I saw some chatter on Twitter about a new approach for teaching folks about Cross-Site Scripting: … Continue reading The Google Cross-Site Scripting Challenge


LinkedIn OAuth Open Redirect Disclosure

During a recent mobile security engagement, I discovered an Insecure Redirect vulnerability in the LinkedIn OAuth 1.0 implementation that could allow an attacker to conduct phishing attacks against LinkedIn members. This vulnerability could be used to compromise LinkedIn user accounts, and gather sensitive information from those accounts (e.g. personal information and credit card numbers). The … Continue reading LinkedIn OAuth Open Redirect Disclosure


Survey on Application Security Programs - Webcast and Paper

For the second year in a row Jim Bird and I have helped SANS put together a "Survey on Application Security Programs and Practices". We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to … Continue reading Survey on Application Security Programs - Webcast and Paper


HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested. http://www.youtube.com/watch?v=fzjpUqMwnoI Continue reading HTML5: Risky Business or Hidden Security Tool Chest?