Only when security is treated with the same importance as quality can your software’s integrity drive a proactive strategy rather than a reactive response.
In addition to ensuring software quality, development teams are under increasing pressure to address software security concerns. The high-profile data breaches that continuously arise are raising awareness of security issues. Because of this, customers, stakeholders, and boards of directors are asking questions of development teams that they never have before. Questions like:
Posted in Fuzz Testing, Interactive Application Security Testing (IAST), Security Training, Static Analysis (SAST), Web Application Security | Comments Off on Get the latest resource helping development teams overcome widespread challenges
Last week’s news introduced us to another pair of vulnerabilities hitting right at the foundation of everything we place our trust in. Named KRACK and ROCA, these flaws target specific facets of Wi-Fi networks and cryptographic keys, meaning that attackers can potentially sneak into networks we consider private, and decipher things we consider secret.
If you’re in enterprise IT, you’re likely familiar with the cycle of waiting for a patch, then planning and coordinating the rollout of the patch across your estate. What’s interesting in this case is that a lot of the space to be covered includes non-PC devices, so you have to figure out how those will get patched too. (Your plan covers that, right?)
Posted in Data Breach, Security Training, Software Architecture and Design | Comments Off on Learning from KRACK and ROCA: Here’s how to equip your firm
October is Cyber Security Awareness Month.
Posted in Security Training, Web Application Security | Comments Off on 4 simple steps to encourage online safety at your company
Let’s say you tested 46 web applications, 19 mobile apps, and 20 client-server apps this year alone. You also purchased a new application security testing tool in the process. You found 112 vulnerabilities and all-in-all you’re feeling pretty good.
Posted in General, Security Standards and Compliance, Security Training | Comments Off on How can you tell if your software security strategy is working?
There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new approaches. A study published earlier this year shows that insecure code samples in tutorials, that are vulnerable to things like SQL injection and cross-site scripting (XSS), manage to find their way into real-world production code.
Flawed tutorials leading to large-scale vulnerabilities
In April 2017, Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, and Fabian Yamaguchi published “Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery.” They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub.
Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code
Software developers and information security professionals have almost always been two mutually exclusive groups. However, with the increase in security awareness, developers have started integrating security into the development process. To further bridge the gap between development and security, it is essential for developers to have a good understanding of security principles. In this post, we’ll talk about the basic security concepts that every developer should be aware of while building applications.
Topic #1: Input validation
An application obtains data from various trusted and untrusted sources during its workflow. It is important to perform input validation of data obtained from all sources to ensure that only properly formed data gains entry into the application workflow. If not properly validated, malformed input can lead to attacks such as SQL injection and cross-site scripting (XSS). Always conduct input validation on the server—even if client-side validation is also present.
Syntactic and semantic validation
It’s important to validate data both syntactically and semantically. Syntactic validation ensures that the input data has the correct elements such as structure, data type, and length. On the other hand, semantic validation ensures the correctness of data per business logic (e.g., checking for negative price).
Blacklisting and whitelisting
The two primary approaches for performing input validation are blacklisting and whitelisting. Blacklisting involves detecting dangerous characters and patterns in the input (e.g., an apostrophe character or the <script> tag) and filtering them out. Since blacklisting does not account for all attack vectors, it is relatively easy to bypass these checks and controls. Also, the blacklist needs to be updated every time a new attack vector is discovered. This isn’t very manageable. As such, they should not be used for validating data.
Posted in Security Training, Software Architecture and Design | Comments Off on Security topics every software developer should know
Posted in Security Training, Software Architecture and Design, Web Application Security | Comments Off on How secure is AngularJS?
We’re excited to announce a new addition to our eLearning library: Attack & Defense.
What’s this course all about?
Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their “street cred.” There is no shortage of publicly known attack tools and techniques, and software developers are outnumbered at the front line of defense.
Posted in Security Training, Web Application Security | Comments Off on Hands-on strategies to counter common web application attacks
Originally posted on SecurityWeek.
Posted in General, Security Training, Static Analysis (SAST) | Comments Off on Moving beyond ‘moving left’: The case for developer enablement
Posted in Security Standards and Compliance, Security Training | Comments Off on Learn defensive programming for HTML5 in a day