A Pen Test is Coming!!

Posted by on October 18, 2014 · Comments Off on A Pen Test is Coming!!
Filed under: Development, Security, Testing 

You have been working hard to create the greatest app in the world.  Ok, so maybe it is just a simple business application, but it is still important to you.  You have put countless hours of hard work into creating this master piece.  It looks awesome, and does everything that the business has asked for.  ...

Are Application Security Certifications Worth It?

Posted by on August 9, 2014 · Comments Off on Are Application Security Certifications Worth It?
Filed under: Security 

In the IT industry there has always been a debate for and against certifications. This is no different than the age old battle of whether or not a bachelors degree is needed to be good in IT. There are large entities that have made a really good profit off the certification tracks. ...

Application Logging: The Next Great Wonder

Posted by on August 2, 2014 · Comments Off on Application Logging: The Next Great Wonder
Filed under: Security 

What type of logging do you perform in your applications? Do you just log exceptions? Many places I have worked and many developers I have talked to over the years mostly focus on logging troubleshooting artifacts. Where did the application break, and what may have caused it. We do this because ...

Future of ViewStateMac: What We Know

Posted by on December 12, 2013 · Comments Off on Future of ViewStateMac: What We Know
Filed under: Development, Security, Testing 

The .Net Web Development and Tools Blog just recently posted some extra information about ASP.Net December 2013 Security Updates (http://blogs.msdn.com/b/webdev/archive/2013/12/10/asp-net-december-2013-security-updates.aspx). The most interesting thing to me was a note near the bottom of the page that states that the next version of ASP.Net will FORBID setting ViewStateMac=false. That is right.. They will ...

ViewStateUserKey: ViewStateMac Relationship

Posted by on November 26, 2013 · Comments Off on ViewStateUserKey: ViewStateMac Relationship
Filed under: Development, Security, Testing 

I apologize for the delay as I recently spoke about this at the SANS Pen Test Summit in Washington D.C. but haven't had a chance to put it into a blog. While I was doing some research for my presentation on hacking ASP.Net applications I came across something very interesting that sort of blew ...

Bounties For Fixes

Posted by on October 11, 2013 · Comments Off on Bounties For Fixes
Filed under: Security 

It was just recently announced that Google will pay for open-source code security fixes (http://www.computerworld.com/s/article/9243110/Google_to_pay_for_open_source_code_security_fixes). Paying for stuff to happen is nothing new, we have seen Bug Bounty programs popping up in a lot of companies. The idea behind the bug bounty is that people can submit bugs they have found and then ...

AntiSQLi: The New Black Magic

Posted by on July 3, 2013 · Comments Off on AntiSQLi: The New Black Magic
Filed under: Development, Security 

As a Principal Security Consultant, I see too many sites that still have SQL Injection vulnerabilities.  As a developer, I have spent years writing code and having a security background, I often wonder why we still have so many out there.  Of course, we have issues like legacy code, which no one wants to touch.  ...

Your Passwords Were Stolen: What’s Your Plan?

Posted by on May 29, 2013 · Comments Off on Your Passwords Were Stolen: What’s Your Plan?
Filed under: Development, Security 

If you have been glancing at many news stories this year, you have certainly seen the large number of data breaches that have occurred. Even just today, we are seeing reports that Drupal.org suffered from a breach (https://drupal.org/news/130529SecurityUpdate) that shows unauthorized access to hashed passwords, usernames, and email addresses. Note that this ...

The Watering Hole: Is it Safe to Drink?

Posted by on May 7, 2013 · Comments Off on The Watering Hole: Is it Safe to Drink?
Filed under: Security 

How many times have you been told you have a vulnerability that you just don’t understand  its relevancy?  Cross-Site scripting comes to mind for many people.   Sure, they get the fact that you can execute script in the user’s browser, but often times they really don’t fully understand the impact.  Of course, we determine that ...

Authentication Failure: Bank Transactions in Person

Posted by on May 3, 2013 · Comments Off on Authentication Failure: Bank Transactions in Person
Filed under: Security 

Usually I write about the security flaws that I have seen over the years both as a developer and a security professional.  Recently, however, I was in a situation where I realized after the transaction, that there was no authentication to who I was.  Of course, when we talk about technology, we discuss authentication a ...

« Previous PageNext Page »