AppSec Blog

The Security Impact of HTTP Caching Headers

[This is a cross post from https://isc.sans.edu ] Earlier this week, an update for Media-Wiki fixed a bug in how it used caching headers [2]. The headers allowed authenticated content to be cached, which may lead to sessions being shared between users using the same proxy server. I think this is a good reason to … Continue reading The Security Impact of HTTP Caching Headers


WhatWorks in AppSec: ASP.NET - Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing … Continue reading WhatWorks in AppSec: ASP.NET - Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts


WhatWorks in AppSec: Log Forging

Help!!! Developers are going blind from Log Files! This is a post by Sri Mallur, an instructor with the SANS Institute for SANS DEV541: Secure Coding in Java EE: Developing Defensible Applications.Sri is a security consultant at a major healthcare provider who has over 15 years of experience in software development and information security. He … Continue reading WhatWorks in AppSec: Log Forging


Security Testing: Less, but More Often can make a Big Difference

Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were: No security testing policy for critical apps: 13.5% Only when applications are updated, patched or changed: 21.3% Annually: 14.3% Every 3 months: 18.0% … Continue reading Security Testing: Less, but More Often can make a Big Difference


Ask the Expert - Jim Manico

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series. 1. Although SQL Injection continues to be one of the most commonly exploited security vulnerabilities … Continue reading Ask the Expert - Jim Manico