AppSec Blog: Tag - application

Checklists, software and software security

There are practical applications of checklists in many different fields. Aviation, project engineering, now even surgery. But what about software? Sure, checklists are sometimes used in code reviews, to good effect. But can we do more, can we get the same thing out of checklists that pilots do, or that surgeons do? Continue reading Checklists, software and software security


IPv6 and your Web Application

If you want to do something now: Make sure that you confirm if your current web server supports IPv6 or not. Modern operating systems tend to establish IPv6 tunnels over IPv4 automatically. Make sure they are disabled until your application is ready for IPv6. Communicate clearly with your networking team to avoid accidental IPv6 exposure of your application. Finally: Get an IPv6 test environment running to get your feet wet. Continue reading IPv6 and your Web Application


Dshield Web Honeypot going beta

[Cross posted from SANS ISC] SANS ISC started the Dshield Web Honeypot project roughly one year ago. The goal of this project is to replicate what Dshield had done for the community on the web application side. We are not trying to detect targeted attacks but fast scanning and replicating threats that has potential to … Continue reading Dshield Web Honeypot going beta


Web application penetration testing VS vulnerability assessment

I deal with infrastructure and application security testing on a regular basis. On the infrastructure/network side, the consulting and testing market is much more mature, definition of pentest and vulnerability assessment are industry accepted. It is easy to communicate with other folks about the work involved. On the application side, things are not as well … Continue reading Web application penetration testing VS vulnerability assessment


Logging Links to 3rd party provider

While web application spans over multiple sites boundary, it is essential to keep track of where the users are being directed. This is pretty much a basic logging and audit trail concept. While it is easy to understand in theory, it is not always easy to see where it should be implemented. Development communities sometimes … Continue reading Logging Links to 3rd party provider