Application security should be on the mind of anyone that is part of the application design/build process. That means architects, developers, application owners, QA testers, business analysts and even end users. Everyone of these positions plays a role in the security of the applications. Depending on the organization, the roles can be quite different. You must understand the roles of these positions from a development perspective to really understand how they fit into the security aspect … [Read more...] about SDLC: Understanding your Roles
qa
Security for QA Testers: The Importance
Quality Assurance (QA) testing is a critical role for any application that is being developed. The purpose: to identify flaws within the application that effect how the application runs and the users that use it. Typically this has focused on the goal of identifying flaws that prohibited the application functions from performing as expected. When I say expected, I mean that the end user is not able to complete his identified task. Over the past decade there has been a growing focus on the … [Read more...] about Security for QA Testers: The Importance
Static Analysis: Analyzing the Options
When it comes to automated testing for applications there are two main types: Dynamic and Static. Dynamic scanning is where the scanner is analyzing the application in a running state. This method doesn't have access to the source code or the binary itself, but is able to see how things function during runtime. Static analysis is where the scanner is looking at the source code or the binary output of the application. While this type of analysis doesn't see the code as it is running, it has … [Read more...] about Static Analysis: Analyzing the Options
The Importance of Baselines
To understand what is abnormal, we must first understand what is normal. All too often we have overlooked the basic first step of understanding and recording our baselines. Whether it is for network traffic, data input, or binary sizes it is imperative we understand what is normal. Once we have an understanding of what normal is it becomes easier to start identifying abnormalities that can be of concern. Related podcast: Ep. 24: The Importance of Baselines Take a moment to think about … [Read more...] about The Importance of Baselines
Amazon XSS: Thoughts and Takeaways
It was recently identified, and Amazon was quick (2 days) to fix it, that one of their sites was vulnerable to cross-site scripting. Cross-site scripting is a vulnerability that allows an attacker to control the output in the user's browser. A more detailed look into cross-site scripting can be found on the OWASP site. Take-Aways QA could have found this Understand your input validation routines Check to make sure the proper output encoding is in place in every location user supplied … [Read more...] about Amazon XSS: Thoughts and Takeaways
Input Validation: Keep It Simple
Attackers take advantage of an application by manipulating the inputs to the system. For example, a first name field or even a request header like the user-agent. Applications wouldn't be very useful if they didn't accept any input from the end user. Unfortunately, this is the key attack vector. One of the basic techniques used to help protect a system is to us input validation, which assesses the input to determine if it is should be accepted. Many development groups have fought with the … [Read more...] about Input Validation: Keep It Simple