If I told you to adjust your seat before adjusting your mirror in your car, would you just do it? Just because I said so, or do you understand why there is a specific order? Most of us retain concepts better when we can understand them logically. Developing applications requires a lot of moving pieces. An important piece in that process is implementing security controls to help protect the application, the company, and the users. In many organizations, security is heavily guided by an … [Read more...] about Understanding the “Why”
developer
ImageMagick – Take-aways
Do your applications accept file uploads? More specifically, image uploads? Do you use a site that allows you to upload images? If you haven't been following the news lately, there was recently a few vulnerabilities found in the ImageMagick image library. This library is very common in websites to perform image processing. The vulnerability allows remote code execution (RCE) on the web server, which is very dangerous. For more specific details on the vulnerability itself, check out this … [Read more...] about ImageMagick – Take-aways
Reliance on 3rd Party Components
It was just recently announced that Apple will no longer be supporting QuickTime for Windows. Just like any other software, when support has ended, the software becomes a security risk. As a matter of fact, there are current known vulnerabilities in QuickTime that will never get patched. The Department of Homeland Security has an alert recommending removal of QuickTime for Windows. For users, it may seem simple: Uninstall QuickTime from your Windows system. But wait.. what about software … [Read more...] about Reliance on 3rd Party Components
Security in Testing Environments
When it comes to creating applications, there is a need for multiple environments to support the development process. It typically starts on the developers own computer, then on to an integration environment, a QA testing environment, possibly a UAT (User Acceptance Testing) environment, and then finally production. Depending on your organization, you may have some, none, or all of these different environments. When it comes to security, the focus is typically on the production environment. … [Read more...] about Security in Testing Environments
The Hidden Reason for Switching to HTTPS
If you run a website, you have probably debated on whether or not you need to make the switch to HTTPS instead of using HTTP. For those that still don't know, HTTPS is the encrypted version of HTTP. This is typically seen on banking sites, touted to protect your sensitive information when transmitted between you (your browser) and the application. I wrote on this topic about a year ago in the post: Is HTTP being left behind for HTTPS? Back then there was a big push for making the switch … [Read more...] about The Hidden Reason for Switching to HTTPS
Introduction to Penetration Testing for Application Teams
In this presentation, James Jardine focuses on educating application teams on what a penetration test is and how to extract the most value from it. Application teams learn how to participate in the engagement and better understand the report. You can watch the recorded session at any time at: https://youtu.be/I1PukF8Glh0 https://youtu.be/I1PukF8Glh0 … [Read more...] about Introduction to Penetration Testing for Application Teams