AppSec Blog

2017 Application Security Survey is Live!

Our 2016 application security survey, led by Dr. Johannes Ullrich, saw AppSec Programs continuously improving. In this year's 2017 survey led by Jim Bird, we will be looking at how AppSec is keeping up with rapidly increasing rates of change as organizations continue to adopt agile development techniques and DevOps. The survey is officially … Continue reading 2017 Application Security Survey is Live!


Taking Control of Your Application Security

Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security professional, how do we staff a … Continue reading Taking Control of Your Application Security


DOM-based XSS in the Wild

Editor's Note: Today's post is from Phillip Pham. Phillip is a Security Engineer at APT Security Solutions. In this post, Phillip walks through a cross-site scripting vulnerability he identified in the Fry's web application. Disclaimer At the time of writing, the stated vulnerability has already been remediated by Fry's Electronics. Thank you for taking swift … Continue reading DOM-based XSS in the Wild


Threat Modeling: A Hybrid Approach

Editor's Note: Today's post is from Sriram Krishnan. Sriram is a Security Architect at Pegasystems. In this post, Sriram introduces a hybrid threat modeling white paper addressing the limitations in traditional threat modeling methodologies. In the face of increasing attacks at the application layer and enterprise applications moving towards the cloud, organizations must look at … Continue reading Threat Modeling: A Hybrid Approach


Continuous Integration: Live Static Analysis with Roslyn

Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection and Cross-Site Scripting included in the … Continue reading Continuous Integration: Live Static Analysis with Roslyn