Cross-site scripting (XSS) is a complex problem with many moving parts, but we want to highlight the most important gotchas. These are the top 3.
In Python, you can use pickle to serialize (deserialize) an object structure into (from) a byte stream. Here are best practices for secure Python pickling.
Posted in Developer Enablement | Comments Off on Understanding Python pickling and how to use it securely
Red teaming provides a new way of thinking about, identifying, and allocating defenses to discover risks and address them. Are you red team secure?
Posted in Software Architecture and Design | Comments Off on Are you red team secure?
We review how attackers can use a browser’s content security policy to trick users and potentially gather personal information, with a Facebook example.
Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems
I’ve been working with Python bytecode recently, and wanted to share some of my experience working with it. To be more precise, I’ve been working exclusively on the bytecode for the CPython interpreter, and limited to versions 2.6 and 2.7.
Posted in Web Application Security | Comments Off on Understanding Python bytecode
Chandu Ketkar reviews the Poodle attack on SSLv3, including the anatomy of the attack, its impact, and how to mitigate it.
Red teaming is when an independent group tests your system in the same way an attacker would to identify weaknesses that could compromise sensitive data.
Posted in Mobile Application Security | Comments Off on Red teaming for a holistic view of security
Gary McGraw delivered the Friday morning keynote at AppSec USA 2014. Watch “BSIMM: A Decade of Software Security” and read along with his guide.
Posted in Maturity Model (BSIMM) | Comments Off on A guide to Gary McGraw’s AppSec USA keynote
Even though the 2014 iCloud photo leak can be traced back to personal devices, businesses who use cloud storage for data should take note of a few lessons.
Posted in Cloud Security | Comments Off on Minimizing exposure from iCloud and other cloud storage
The IEEE Computer Society Center for Secure Design (CSD) has launched and released its first title: Avoiding the Top 10 Software Security Design Flaws.
Posted in Software Architecture and Design | Comments Off on The IEEE Computer Society Center for Secure Design