AppSec Blog

AppSec at RSA 2012 Conference

I attended the RSA conference last week in San Francisco for the first time, and enjoyed the city. Excellent restaurants like Slanted Door, Canteen, Barbacco and especially Commonwealth, the Wharf, Chinatown, the almost perfect weather. I was surprised at the scale of the conference, the impressive number of IT security professionals who came from everywhere, … Continue reading AppSec at RSA 2012 Conference

Agile Development Teams CAN build secure software

Agile Development Doesn't Create Secure Software questions whether Agile development teams can build secure code. It mostly references a study on small- and medium-sized Agile development teams, which found that Agile teams don't take security seriously even when building systems that are "web-facing and potential targets of attack". This isn't surprising. We already know that … Continue reading Agile Development Teams CAN build secure software

Software Security starts with Software Quality

In Software Security: Building Security In, Cigital's Gray McGraw breaks software security problems down into roughly equal halves. One half of security problems are security design flaws: missing authorization or doing encryption wrong - or not using encryption at all when you are supposed to, not handling passwords properly, not auditing the right data, relying … Continue reading Software Security starts with Software Quality

ASP.Net Forms Authentication Bypass

It was recently announced that there is a vulnerability in ASP.Net Forms Authentication. The vulnerability allows an attacker to assume the identity of another user within the application without the need to know the victim's password. This is a critical vulnerability as it could allow users to execute commands they do not have access to. … Continue reading ASP.Net Forms Authentication Bypass

ASP.Net Insecure Redirect

It was recently discovered that there was a vulnerability within the ASP.Net Forms Authentication process that could allow an attacker to force a user to visit a malicious web site upon successful authentication. Until this vulnerability was found, it was thought that the only way to allow the Forms Authentication redirect (managed by the ReturnUrl … Continue reading ASP.Net Insecure Redirect