Everyone has heard of the Colonial pipeline attack that happened a while back. The company that provides fuel across the East coast shut down that fuel supply due to ransomware on their systems. This sparked a huge push for ICS security. It got a lot of people talking about critical infrastructure and how the world will end with a single cyber attack. I don't disagree that these systems are at risk or that they shouldn't be secured. This is something that we should be focusing on in general to … [Read more...] about How critical is your app in your customer’s process?
AppSec
Don’t Shift Left, Expand
The last few years the biggest buzzword was shifting left. You have seen it everywhere. The concept is pretty simple when you think about the evolution of application security. We started out with a huge focus on penetration testing and providing a report back to the development team. The majority of organizations didn't have application security teams, and if they did, they were usually pretty small and limited in function. This method of app security was easy because it was in a time where … [Read more...] about Don’t Shift Left, Expand
Client vs. Server Validation
How many times have we thrown a vulnerability over to the development team assuming they understand what the issue is? How many times have we sat with the development team to show them what we do? This isn't a point of showing how to attack to build up the next generation of security people. Instead, it is focused on showing the development team how at attacker looks at their application so they better understand the issue identified. Let's walk through a really simple scenario You have an … [Read more...] about Client vs. Server Validation
Technical Debt vs. New Dev
When it comes to application vulnerabilities, there are 2 common groups we might view them: Technical Debt and New Development. I break these down because the way in which we address vulnerabilities is fundamentally different. Something that might not be exploitable receives a very low priority when it is technical debt. However, during new development, it can be addressed with little cost. Much of this comes down to if soemthing is syntactically insecure vs. actually vulnerable. Let’s look at … [Read more...] about Technical Debt vs. New Dev
The risk of Spell Checking
Did you know that input fields on a web form support spell checking by default in many web browsers? This is a feature of the browser that can help catch errors early for the end user. Recently, some testers found that some data may be leaked during the spell checking function to 3rd parties. Here is a reference article describing this: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords The first point to make here is this is … [Read more...] about The risk of Spell Checking
Is encoding really encoding if it is escaping?
The title might be confusing, let's see if we can clear it up. I saw an article the other day that was giving a comparison between encoding, encryption and hashing. There was a statement made that basically said: Encoding has no security purpose. I thought this was interesting because when training on security topics we mention encoding for specific use cases. For example, when we discuss Cross-Site Scripting, the answer is output encoding. I want to clarify that I agree with the statement … [Read more...] about Is encoding really encoding if it is escaping?