Software Integrity

Archive for the 'OWASP' Category

 

The year in review: 2017 top posts

As we race into 2018 (can you believe it’s February?), let’s take a moment to look back at some of the most fascinating topics in open source security and compliance from the past year. No surprise, the 2017 top posts were dominated by the data breach at Equifax, traced back to the exploit of a […]

Continue Reading...

Posted in DevOps, Open Source Security, OWASP

 

What’s happening with the OWASP Top 10 2017?

One of my favorite books, “The Hitchhiker’s Guide to the Galaxy,” describes itself in the introduction like this: In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the Hitchhiker’s Guide has already supplanted the great Encyclopedia Galactica as the standard repository of all knowledge and wisdom, for though it […]

Continue Reading...

Posted in Application Security, OWASP

 

OWASP Top 10 2017: But is it fixed?

Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed? My argument to remove A7 was […]

Continue Reading...

Posted in Application Security, OWASP

 

Learn how to customize the OWASP Top 10 to fit your firm

A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations […]

Continue Reading...

Posted in OWASP, Security Risk Assessment, Threat Intelligence, Vulnerability Assessment

 

OWASP Top 10: Application security risks

Your chance to contribute to the OWASP Top 10 2016 report expired July 20th 2016. This was rare opportunity to influence best practices in web operations. For those of you unfamiliar with OWASP and their report, please read on.The Open Web Application Security Project (OWASP) is a non-profit community of software developers, engineers and freelancers that provides […]

Continue Reading...

Posted in Application Security, OWASP

 

SHA2 ‘vs.’ SHA1

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help […]

Continue Reading...

Posted in OWASP, Threat Modeling

 

An OWASP interaction model

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open […]

Continue Reading...

Posted in OWASP, Software Security Testing

 

Securing URL redirects

Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side script that constructs the URL being transferred to using data that is received from the client (i.e., something that can be […]

Continue Reading...

Posted in OWASP, Secure Coding Guidelines, Software Security Testing

 

Improving software security (maturity models and their ilk?)

Ben Worthen broke the BSIMM story on wsj.com as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) […]

Continue Reading...

Posted in Maturity Model (BSIMM), OWASP, Security Metrics, Software Security Program Development

 

SDLC on the shoulders of giants

Software security veterans have all certainly thought about the idea of ‘securing the SDLC’… I can tell because every consulting firm’s collateral that I’ve seen in the past year has a new bullet under their ‘services’ section referring to something like ‘Secure development process integration’ or ‘Secure SDLC services’. That being said, let’s talk about […]

Continue Reading...

Posted in OWASP, Software Development Life Cycle (SDLC), Software Security Testing