AppSec Blog

How to Prevent XSS Without Changing Code

To address security defects developers typically resort to fixing design flaws and security bugs directly in their code. Finding and fixing security defects can be a slow, painstaking, and expensive process. While development teams work to incorporate security into their development processes, issues like Cross-Site Scripting (XSS) continue to plague many commonly used applications. In … Continue reading How to Prevent XSS Without Changing Code


WhatWorks in Application Security Poster

We are excited to announce the new WhatWorks in Application Security Poster! The front side of the poster focuses on why application security is important to any organization and the critical steps needed to make an application security program successful, including: Design: Review security requirements, security architecture, secure coding standards, and the tools your team … Continue reading WhatWorks in Application Security Poster


Password Storage Mistakes

Steve Kosten is an instructor with the SANS Institute for DEV541: Secure Coding in Java/JEE. Password Storage Mistakes I was visiting a web site recently that I haven't visited in many, many years. I tried a few old passwords I used to use before I started using a password storage system, but no luck. I … Continue reading Password Storage Mistakes


REST Security Protections

Greg Leonard is an instructor with the SANS Institute for DEV541: Secure Coding in Java/JEE. REST Security Protections Representational State Transfer (REST) has become popular in modern web application development. They take advantage of HTTP, a well established web communication protocol, and provide a simple-to-understand framework for delivering a flexible and highly performant content delivery … Continue reading REST Security Protections


The Google Cross-Site Scripting Challenge

If you didn't know already, Google takes its application security seriously, especially when it comes to Cross-Site Scripting. They already have a Vulnerability Rewards Program and XSS Learning Documentation posted on their application security site. A few weeks ago, I saw some chatter on Twitter about a new approach for teaching folks about Cross-Site Scripting: … Continue reading The Google Cross-Site Scripting Challenge