When we think about HTTP vs. HTTPS, we often focus on the risk to sensitive information. HTTP transmits our data in clear-text, while HTTPS encrypts the data to stop people from snooping. But that is not all that HTTPS does. What about tampering? One of the other key aspects of HTTPS is to protect our communication with the server from tampering. In this case, we would be concerned with someone being able to manipulate the responses that are sent back to the user's browser. While no sensitive … [Read more...] about HTTPS Isn’t Just For Sensitive Info
sdlc
How critical is your app in your customer’s process?
Everyone has heard of the Colonial pipeline attack that happened a while back. The company that provides fuel across the East coast shut down that fuel supply due to ransomware on their systems. This sparked a huge push for ICS security. It got a lot of people talking about critical infrastructure and how the world will end with a single cyber attack. I don't disagree that these systems are at risk or that they shouldn't be secured. This is something that we should be focusing on in general to … [Read more...] about How critical is your app in your customer’s process?
Don’t Shift Left, Expand
The last few years the biggest buzzword was shifting left. You have seen it everywhere. The concept is pretty simple when you think about the evolution of application security. We started out with a huge focus on penetration testing and providing a report back to the development team. The majority of organizations didn't have application security teams, and if they did, they were usually pretty small and limited in function. This method of app security was easy because it was in a time where … [Read more...] about Don’t Shift Left, Expand
Client vs. Server Validation
How many times have we thrown a vulnerability over to the development team assuming they understand what the issue is? How many times have we sat with the development team to show them what we do? This isn't a point of showing how to attack to build up the next generation of security people. Instead, it is focused on showing the development team how at attacker looks at their application so they better understand the issue identified. Let's walk through a really simple scenario You have an … [Read more...] about Client vs. Server Validation
Ep. 116: Chrome Retires XSS Auditor
Do you rely on the browser to protect your application from Cross-Site Scripting? Over the years, many of the popular browsers attempted to create these XSS filters to help reduce the risk of the vulnerability. Unfortunately, over the years we have seen a lot of bypasses to these filters. Chrome announced they are removing their XSS Auditor. Hear some of our thoughts on the changes. Listen to the Episode: References https://www.chromium.org/developers/design-documents/xss-auditor … [Read more...] about Ep. 116: Chrome Retires XSS Auditor
Application Security and Responsibility
Who is responsible for application security within your organization? While this is something I don't hear asked very often, when I look around the implied answer is the security team. This isn't just limited to application security either. Look at network security. Who, in your organization, is responsible for network security? From my experience, the answer is still the security group. But is that how it should be? Is there a better way? Security has spent a lot of effort to take and … [Read more...] about Application Security and Responsibility