AppSec Blog

Agile Development Teams CAN build secure software

Agile Development Doesn't Create Secure Software questions whether Agile development teams can build secure code. It mostly references a study on small- and medium-sized Agile development teams, which found that Agile teams don't take security seriously even when building systems that are "web-facing and potential targets of attack". This isn't surprising. We already know that … Continue reading Agile Development Teams CAN build secure software

Software Security starts with Software Quality

In Software Security: Building Security In, Cigital's Gray McGraw breaks software security problems down into roughly equal halves. One half of security problems are security design flaws: missing authorization or doing encryption wrong - or not using encryption at all when you are supposed to, not handling passwords properly, not auditing the right data, relying … Continue reading Software Security starts with Software Quality

ASP.Net Forms Authentication Bypass

It was recently announced that there is a vulnerability in ASP.Net Forms Authentication. The vulnerability allows an attacker to assume the identity of another user within the application without the need to know the victim's password. This is a critical vulnerability as it could allow users to execute commands they do not have access to. … Continue reading ASP.Net Forms Authentication Bypass

ASP.Net Insecure Redirect

It was recently discovered that there was a vulnerability within the ASP.Net Forms Authentication process that could allow an attacker to force a user to visit a malicious web site upon successful authentication. Until this vulnerability was found, it was thought that the only way to allow the Forms Authentication redirect (managed by the ReturnUrl … Continue reading ASP.Net Insecure Redirect

Seven Tips for Picking a Static Analysis Tool

Stephen J, who is a member of our software security mailing list, asked a while back, "Do you have any recommendations on static source code scanners?" James Jardine and I started talking and came up with the following tips. There are so many commercial static analysis tools from vendors like Armorize, Checkmarx, Coverity, Fortify (HP), … Continue reading Seven Tips for Picking a Static Analysis Tool