Have you ever forgotten your password, or lost access to your accounts? I know I have. The process of getting your access back can range from very easy to quite difficult. In one case, I had an account that required that a pin code be physically mailed to me in 7-10 days. Of course, this was a financial account that required extra protections. I came across this article (https://www.wired.com/story/myspace-security-account-takeover/) that identified that MySpace's process for regaining access … [Read more...] about MySpace Account Takeover – Take-aways
developer
Security Tips for Copy/Paste of Code From the Internet
Developing applications has long involved using code snippets found through textbooks or on the Internet. Rather than re-invent the wheel, it makes sense to identify existing code that helps solve a problem. It may also help speed up the development time. Years ago, maybe 12, I remember a co-worker that had a SQL Injection vulnerability in his application. The culprit, code copied from someone else. At the time, I explained that once you copy code into your application it is now your … [Read more...] about Security Tips for Copy/Paste of Code From the Internet
SSL Labs and HSTS
Qualys recently posted about some grading changes coming to SSL Labs in 2017. If you are not aware of SSL Labs, it is a service to check your SSL/TLS implementation for your web applications to determine how secure they are. While there were more changes listed, you can read about them in the link above, I wanted to focus on the one regarding HTTP Strict Transport Security (HSTS). If you haven't heard of HSTS, or want a quick refresher, you can check out this post: HTTP Strict Transport … [Read more...] about SSL Labs and HSTS
Login Forms and HTTP
Does your application have a login form? Do you deliver it over HTTPS to protect the username and password while being transmitted to the server? If you answered yes to both of those questions, are you sure? Many years ago, before there was a huge push for HTTPS all the time, it was common practice for many applications to load a login form using HTTP, but then submit the form over HTTPS. This was accomplished by setting the action attribute of the form to the full HTTPS version of … [Read more...] about Login Forms and HTTP
Does SAST and DAST Really Require Security Experts To Run Them?
There is no argument that automated tools help quickly identify many of the vulnerabilities found in applications today. Tools are typically categorized into one of the following three categories: Dynamic Application Security Testing (DAST) - analyzes the running application. Static Application Security Testing (SAST) - analyzes the source or byte code of the application. Interactive Application Security Testing (IAST) - uses agents installed on the web server to instrument the application … [Read more...] about Does SAST and DAST Really Require Security Experts To Run Them?
Application Security and Responsibility
Who is responsible for application security within your organization? While this is something I don't hear asked very often, when I look around the implied answer is the security team. This isn't just limited to application security either. Look at network security. Who, in your organization, is responsible for network security? From my experience, the answer is still the security group. But is that how it should be? Is there a better way? Security has spent a lot of effort to take and … [Read more...] about Application Security and Responsibility