It is our belief that the use of code review as a part of our Grey-box security assessment approach is very effective for many compelling reasons...
Below is a link to our OWASP training we delivered in San Francisco on the 24th Feb 2014
Our RSA Europe class was delivered yesterday in Amsterdam.4 hours of defensive coding techniques.
Vulnerability Management: The age old penetration test is dead, long live the penetration test...So as discussed before a 1-off penetration test does not work, why?
Ireland is not an Island....As many of you know I am passionate about how we as a country secure the systems, networks and the critical elements of our national infrastructure that we all depend on.
There was a recent discussion on the OWASP Testing guide list, a project I used to lead, in relation to "How to test for business logic issues"This is a real tough one to document in terms of "How to..."
Why do we look at Cross Site Scripting, Command Injection and SQL injection in different ways?Why am I even writing about such old issues like SQLI, XSS, CMDi? Probably because they are very similar from a builder/prevention aspect but very different from a breaker/defender aspect.
Our Traditional approach to penetration testing, even large scale global penetration testing is to perform an annual/bi-annual pen test on our web applications.
Its been a while since i posted. I've been bogged down with code reviews and training but even when you deliver training you learn something new. This is particularly true when training developers keen to learn secure development. The conversations during the course tend to be more about building than breaking....
Cross Site Scripting is sill a very common web vulnerability. Generally it is used to attack clients/users.It can be used for malware upload, botnet hooking, keylogging, a payload delivery system for clickjacking and CSRF attacks and much much more, all for 6 easy payments of $9.99...sorry got carried away there :)
A major issue with enterprises is "are we secure?" (what does that even mean...). If you are asked by the CEO whilst sharing a lift to the 10th floor,what do you answer??? eh..em yes..er no...well sort-of.....
This document reflects my personal opinion on the state of application security. It calls out what I see are the weaknesses of our approach as a community to addressing the issue of web [in]security. Web [in]security is a healthy and growing industry and rather than verification of issues we constantly find and are exposed to new threats without every addressing the current ones en-masse…….