Software Security

Archive for the 'OWASP' Category

 

Learn how to customize the OWASP Top 10 to fit your firm

A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations […]

Continue Reading...

Posted in OWASP, Security Risk Assessment, Threat Intelligence, Vulnerability Assessment | Comments Off on Learn how to customize the OWASP Top 10 to fit your firm

 

SHA2 ‘vs.’ SHA1

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help […]

Continue Reading...

Posted in OWASP, Threat Modeling | Comments Off on SHA2 ‘vs.’ SHA1

 

An OWASP interaction model

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open […]

Continue Reading...

Posted in OWASP, Software Security Testing | Comments Off on An OWASP interaction model

 

Securing URL redirects

(This is a guest post by Synopsys consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side […]

Continue Reading...

Posted in OWASP, Secure Coding Guidelines, Software Security Testing | Comments Off on Securing URL redirects

 

Improving software security (maturity models and their ilk?)

Ben Worthen broke the BSIMM story on wsj.com as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) […]

Continue Reading...

Posted in Maturity Model (BSIMM), OWASP, Security Metrics, Software Security Program Development | Comments Off on Improving software security (maturity models and their ilk?)

 

SDLC on the shoulders of giants

Software security veterans have all certainly thought about the idea of ‘securing the SDLC’… I can tell because every consulting firm’s collateral that I’ve seen in the past year has a new bullet under their ‘services’ section referring to something like ‘Secure development process integration’ or ‘Secure SDLC services’. That being said, let’s talk about […]

Continue Reading...

Posted in OWASP, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on SDLC on the shoulders of giants