AppSec Blog: Author - Eric Johnson

Continuous Integration: Live Static Analysis with Roslyn

Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection and Cross-Site Scripting included in the … Continue reading Continuous Integration: Live Static Analysis with Roslyn


HTTP Verb Tampering in ASP.NET

We're only a few days into 2016, and it didn't take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly function. Clever attackers can exploit … Continue reading HTTP Verb Tampering in ASP.NET


Breaking CSRF: Spring Security and Thymeleaf

As someone who spends half of their year teaching web application security, I tend to give a lot of presentations that include live demonstrations, mitigation techniques, and exploits. When preparing for a quality assurance presentation earlier this year, I decided to show the group a demonstration of Cross-Site Request Forgery (CSRF) and how to fix … Continue reading Breaking CSRF: Spring Security and Thymeleaf


2015 State of Application Security: Closing the Gap

The 2015 SANS State of Application Security Analyst Paper and webcasts are complete. This year, Jim Bird, the lead author of the SANS Application Security Survey series, Frank Kim, and I all participated in writing the questions, analyzing the results, drafting the paper, and preparing the webcast material. In the 2015 survey, we split the … Continue reading 2015 State of Application Security: Closing the Gap


Secure Software Development Lifecycle Overview

In a previous post, we received a question asking, "what is a secure software development lifecycle"? This is an excellent question, and one that I receive quite often from organizations during an application security assessment. Let's quickly review the Software Development Lifecycle, also known as the SDLC. The goal of an SDLC is to provide … Continue reading Secure Software Development Lifecycle Overview