AntiSQLi: The New Black Magic

Posted by on July 3, 2013 · Comments Off on AntiSQLi: The New Black Magic
Filed under: Development, Security 

As a Principal Security Consultant, I see too many sites that still have SQL Injection vulnerabilities.  As a developer, I have spent years writing code and having a security background, I often wonder why we still have so many out there.  Of course, we have issues like legacy code, which no one wants to touch.  ...

Your Passwords Were Stolen: What’s Your Plan?

Posted by on May 29, 2013 · Comments Off on Your Passwords Were Stolen: What’s Your Plan?
Filed under: Development, Security 

If you have been glancing at many news stories this year, you have certainly seen the large number of data breaches that have occurred. Even just today, we are seeing reports that Drupal.org suffered from a breach (https://drupal.org/news/130529SecurityUpdate) that shows unauthorized access to hashed passwords, usernames, and email addresses. Note that this ...

ViewState: Still Mis-understood

Posted by on April 22, 2013 · Comments Off on ViewState: Still Mis-understood
Filed under: Development, Security 

Here we are in 2013 and we are still having discussions about what ViewState is and how it works.  For you MVC guys and gals, you are probably even wondering who is still using it.  Although I do find it interesting that we have ViewState in Webforms but not in MVC even though MVC has ...

Hidden Treasures: Not So Hidden

Posted by on April 5, 2013 · Comments Off on Hidden Treasures: Not So Hidden
Filed under: Development, Security, Testing 

For years now, I have run into developers that believe that just because a request can’t be seen, it is not vulnerable to flaws.  Wait, what are we talking about here?   What do you mean by a request that can’t be seen?  There are a few different ways that the user would not see a ...

Brute Force: An Inside Job

Posted by on March 20, 2013 · Comments Off on Brute Force: An Inside Job
Filed under: Development, Security, Testing 

As a developer, we are told all the time to protect against brute force attacks on the login screen by using a mechanism like account lockouts.  We even see this on our operating systems, when we attempt multiple incorrect logins, we get locked out.   Of course, as times have changed, so have some of the ...

Developers, Security, Business – Lets All Work Together

Posted by on January 10, 2013 · Comments Off on Developers, Security, Business – Lets All Work Together
Filed under: Development, Security 

A few years ago, my neighbors ran into an issue with each other. Unfortunately for one neighbor, the other neighbor was on the board for the HOA. The first neighbor decided to put up a fence, got the proper approvals and started work on it. They were building the fence them selves ...

ASP.Net and CSRF

Posted by on January 7, 2013 · Comments Off on ASP.Net and CSRF
Filed under: Development, Security 

Cross-site request forgery (CSRF) is a very common vulnerability today.  Like most frameworks, ASP.Net is not immune by default.  There are some features that are built-in that can be enabled to help reduce the surface area of this attack, however we need to be aware of how they work and what situations they may not ...

SQL Injection in 2013: Lets Work Together to Remediate

Posted by on January 4, 2013 · Comments Off on SQL Injection in 2013: Lets Work Together to Remediate
Filed under: Development, Security 

We just started 2013 and SQL Injection has been a vulnerability plaguing us for over 10 years.  It is time to take action.  Not that we haven’t been taking action, but it is still prevalent in web applications.  We need to set attainable goals.  Does it seem attainable that we say we will eradicate all ...

Authorization: Bad Implementation

Posted by on January 3, 2013 · Comments Off on Authorization: Bad Implementation
Filed under: Development, Security, Testing 

A few years ago, I joined a development team and got a chance to poke around a little bit for security issues.  For a team that didn't think much about security, it didn't take long to identify some serious vulnerabilities.  One of those issues that I saw related to authorization for privileged areas of the ...

2012 in Review

Posted by on December 31, 2012 · Comments Off on 2012 in Review
Filed under: Development, Security, Testing 

Well here it is, 2012 is coming to an end and I thought I would wish everyone happy holidays, as well as mention some of the topics covered this year on my blog. The year started out with a few issues in the ASP.Net framework. We saw a Forms Authentication Bypass that ...

« Previous PageNext Page »