AppSec Blog

DOM-based XSS in the Wild

Editor's Note: Today's post is from Phillip Pham. Phillip is a Security Engineer at APT Security Solutions. In this post, Phillip walks through a cross-site scripting vulnerability he identified in the Fry's web application. Disclaimer At the time of writing, the stated vulnerability has already been remediated by Fry's Electronics. Thank you for taking swift … Continue reading DOM-based XSS in the Wild


Threat Modeling: A Hybrid Approach

Editor's Note: Today's post is from Sriram Krishnan. Sriram is a Security Architect at Pegasystems. In this post, Sriram introduces a hybrid threat modeling white paper addressing the limitations in traditional threat modeling methodologies. In the face of increasing attacks at the application layer and enterprise applications moving towards the cloud, organizations must look at … Continue reading Threat Modeling: A Hybrid Approach


Continuous Integration: Live Static Analysis with Roslyn

Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection and Cross-Site Scripting included in the … Continue reading Continuous Integration: Live Static Analysis with Roslyn


Dev-Sec.io Automated Hardening Framework

Editors Note: Today's post is from Jim Bird. Jim is the co-founder and CTO of a major U.S.-based institutional trading service, where he is responsible for managing the company's technology organization and information security program. Automated configuration management tools like Ansible, Chef and Puppet are changing the way that organizations provision and manage their … Continue reading Dev-Sec.io Automated Hardening Framework


2016 State of Application Security: Skills, Configurations, and Components

The 2016 SANS State of Application Security Survey analyst paper and webcast are complete. This year, Johannes Ullrich, dean of research at the SANS Technology Institute and instructor for DEV522: Defending Web Applications Security Essentials, led the project by analyzing the survey results, writing the whitepaper, and delivering the webcast. We had 475 respondents … Continue reading 2016 State of Application Security: Skills, Configurations, and Components