AppSec Blog: Author - Jason Lam

Top 25 series - Rank 1 - Cross Site Scripting

My honor to kick off with the first programming error on the Top 25 list. Ranked number 1 on the list is the Cross Site Scripting issue. Cross Site Scripting like many other Web security problems is caused by simple flaws related to user input but the potential attack scenarios can be diverse and the … Continue reading Top 25 series - Rank 1 - Cross Site Scripting

CWE/SANS Top 25 Most Dangerous Programming Errors

Last week, SANS/CWE released a top 25 dangerous programming errors list. It contains the most common errors that developers are likely to make. The intention is to raise awareness to these problems and help prioritize the order of importance for organizations new into the security game. In the upcoming days, we will cover each of … Continue reading CWE/SANS Top 25 Most Dangerous Programming Errors

Adoption of X-FRAME-OPTIONS Header

Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions. One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this … Continue reading Adoption of X-FRAME-OPTIONS Header

Results from Webhoneypot Project

The SANS ISC Webhoneypot project was started over a year ago and the client had been in public beta since June. We have been collecting data from honeypots since January. The goal of the project is to collect quantitative data about the prevalence of large scale automated attacks. We are now ready to share some … Continue reading Results from Webhoneypot Project

Argument for Database encryption in web apps

I regularly get consulted on various web application security issues and defensive strategies. One of the recent "frequently asked questions" is around database encryption of web application. My answers to these kind of questions usually lead to awkward looking faces. I always start off asking more questions about the requirements, "Who are you trying to … Continue reading Argument for Database encryption in web apps