How many times have you wanted to see how something worked, or it looked really cool, so you stood up an instance on your network? You are trying out Jenkins, or you stood up a new Tomcat server for some internal testing. Do you practice good security procedures on these systems? Do you set strong passwords? Do you apply updates? These devices or applications are often overlooked by the person that stood them up, and probably unknown to the security team. It may seem as though these systems … [Read more...] about Tips for Securing Test Servers/Devices on a Network
testing
Business Analysts and Product Managers: Security Roles
In a previous post I discussed how QA plays a critical role in the security of an application. As with QA and developers, the business analysts and product managers are also crucial to a successful security development lifecycle. Not to add any pressure, but it is these two roles that feed into the other groups for the security requirements. When designing an application the focus is usually placed on ensuring that the end user functionality, the functionality to solve a specific problem, … [Read more...] about Business Analysts and Product Managers: Security Roles
Security for QA Testers: The Importance
Quality Assurance (QA) testing is a critical role for any application that is being developed. The purpose: to identify flaws within the application that effect how the application runs and the users that use it. Typically this has focused on the goal of identifying flaws that prohibited the application functions from performing as expected. When I say expected, I mean that the end user is not able to complete his identified task. Over the past decade there has been a growing focus on the … [Read more...] about Security for QA Testers: The Importance
Static Analysis: Analyzing the Options
When it comes to automated testing for applications there are two main types: Dynamic and Static. Dynamic scanning is where the scanner is analyzing the application in a running state. This method doesn't have access to the source code or the binary itself, but is able to see how things function during runtime. Static analysis is where the scanner is looking at the source code or the binary output of the application. While this type of analysis doesn't see the code as it is running, it has … [Read more...] about Static Analysis: Analyzing the Options
Sensitive Data and Storage Issues
Do you know what constitutes sensitive data in your organization? How about in your state or industry? As developers or business analysts we often do not follow the nitty gritty details of sensitive information regulations or laws. Not that we don't want to enforce them, but often times I think we often just don't know about them. It is often thought that the CIO, CISO or a privacy officer is responsible for understanding our data and to what level it needs to be protected. I completely … [Read more...] about Sensitive Data and Storage Issues
Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways
It was recently announced that there was a flaw identified (and since fixed) in the Verizon API that allowed access to Verizon customer email accounts. The way this worked was that there was an ID parameter with the email account's user ID specified. If a user supplied a different user's ID name, that user's email account would be returned. This is known as an Insecure Direct Object Reference. It was also found that the attacker could not only read another user's email, but also send email … [Read more...] about Verizon Email API Insecure Direct Object Reference Thoughts and Takeaways