Software Integrity

Archive for the 'OWASP' Category

 

What’s happening with the OWASP Top 10 2017?

One of my favorite books, “The Hitchhiker’s Guide to the Galaxy,” describes itself in the introduction like this: In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the Hitchhiker’s Guide has already supplanted the great Encyclopedia Galactica as the standard repository of all knowledge and wisdom, for though it […]

Continue Reading...

Posted in Application Security, OWASP | Comments Off on What’s happening with the OWASP Top 10 2017?

 

OWASP Top 10 2017: But is it fixed?

Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed? My argument to remove A7 was […]

Continue Reading...

Posted in Application Security, OWASP | Comments Off on OWASP Top 10 2017: But is it fixed?

 

Learn how to customize the OWASP Top 10 to fit your firm

A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations […]

Continue Reading...

Posted in OWASP, Security Risk Assessment, Threat Intelligence, Vulnerability Assessment | Comments Off on Learn how to customize the OWASP Top 10 to fit your firm

 

SHA2 ‘vs.’ SHA1

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help […]

Continue Reading...

Posted in OWASP, Threat Modeling | Comments Off on SHA2 ‘vs.’ SHA1

 

An OWASP interaction model

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open […]

Continue Reading...

Posted in OWASP, Software Security Testing | Comments Off on An OWASP interaction model

 

Securing URL redirects

Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side script that constructs the URL being transferred to using data that is received from the client (i.e., something that can be […]

Continue Reading...

Posted in OWASP, Secure Coding Guidelines, Software Security Testing | Comments Off on Securing URL redirects

 

Improving software security (maturity models and their ilk?)

Ben Worthen broke the BSIMM story on wsj.com as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) […]

Continue Reading...

Posted in Maturity Model (BSIMM), OWASP, Security Metrics, Software Security Program Development | Comments Off on Improving software security (maturity models and their ilk?)

 

SDLC on the shoulders of giants

Software security veterans have all certainly thought about the idea of ‘securing the SDLC’… I can tell because every consulting firm’s collateral that I’ve seen in the past year has a new bullet under their ‘services’ section referring to something like ‘Secure development process integration’ or ‘Secure SDLC services’. That being said, let’s talk about […]

Continue Reading...

Posted in OWASP, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on SDLC on the shoulders of giants