AppSec Blog

HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested. http://www.youtube.com/watch?v=fzjpUqMwnoI Continue reading HTML5: Risky Business or Hidden Security Tool Chest?


The Security Impact of HTTP Caching Headers

[This is a cross post from https://isc.sans.edu ] Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers [2]. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to … Continue reading The Security Impact of HTTP Caching Headers


WhatWorks in AppSec: ASP.NET - Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing … Continue reading WhatWorks in AppSec: ASP.NET - Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts


WhatWorks in AppSec: Log Forging

Help!!! Developers are going blind from Log Files! This is a post by Sri Mallur, an instructor with the SANS Institute for SANS DEV541: Secure Coding in Java EE: Developing Defensible Applications.Sri is a security consultant at a major healthcare provider who has over 15 years of experience in software development and information security. He … Continue reading WhatWorks in AppSec: Log Forging


Security Testing: Less, but More Often can make a Big Difference

Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were: No security testing policy for critical apps: 13.5% Only when applications are updated, patched or changed: 21.3% Annually: 14.3% Every 3 months: 18.0% … Continue reading Security Testing: Less, but More Often can make a Big Difference