Software Integrity Blog

Archive for the 'Web Application Security' Category

 

Apps security the top challenge for customer-facing mobile and web applications research shows

A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia.

Continue Reading...

Posted in Mobile Application Security, Web Application Security | Comments Off on Apps security the top challenge for customer-facing mobile and web applications research shows

 

What’s happening with the OWASP Top 10 2017?

One of my favorite books, “The Hitchhiker’s Guide to the Galaxy,” describes itself in the introduction like this:

Continue Reading...

Posted in Security Standards and Compliance, Web Application Security | Comments Off on What’s happening with the OWASP Top 10 2017?

 

4 simple steps to encourage online safety at your company

October is Cyber Security Awareness Month.

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on 4 simple steps to encourage online safety at your company

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new approaches. A study published earlier this year shows that insecure code samples in tutorials, that are vulnerable to things like SQL injection and cross-site scripting (XSS), manage to find their way into real-world production code. Flawed tutorials leading to large-scale vulnerabilities In April 2017, Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, and Fabian Yamaguchi published “Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery.” They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub.

Continue Reading...

Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code

 

7-year-old SAMBA flaw prompts new concerns (and patches)

With just one line of code, a malicious attacker can exploit a recently disclosed seven-year-old vulnerability in SAMBA. Known as CVE-2017-7494, the vulnerability affects Linux and Unix systems that:

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on 7-year-old SAMBA flaw prompts new concerns (and patches)

 

Why should every eCommerce website have an SSL certificate?

In the world of data security, a critical element of working with users is earning their trust. Obtaining, implementing, and properly using an SSL certificate is one way to protect user data. Without a certificate, there is also no easy way to keep the communications between the user and an eCommerce website private from attackers. What is encryption? Encryption protects data and keeps secrets out of reach from eavesdroppers. It seems like the stuff of movies and television dramas. It’s often portrayed in the media as some impenetrable obstacle that can’t be overcome without keys. Or, as an easy challenge to solve with rapid typing and a few progress bars.

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on Why should every eCommerce website have an SSL certificate?

 

BURP’s proxy tool and the case of the missing cipher suites

During a recent iOS application penetration test, I was attempting to proxy network traffic using the BURP proxy tool. In doing so, I configured my device to use BURP as proxy, and voila, I was able to see the traffic (oh, the joys of certificate pinning).

Continue Reading...

Posted in Web Application Security | Comments Off on BURP’s proxy tool and the case of the missing cipher suites

 

Node.js: Preventing common vulnerabilities in the MEAN stack

Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, Express.js (Core), Express.js (Sessions and CSRF), and AngularJS. Development mode (Node.js/Express.js) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express returns more verbose errors which can result in information leakage. For example, the error message below returns the full path to the requested file. This also provides an attacker with information about the host system.

Continue Reading...

Posted in Open Source Security, Software Architecture and Design, Web Application Security | Comments Off on Node.js: Preventing common vulnerabilities in the MEAN stack

 

AngularJS: Preventing common vulnerabilities in the MEAN stack

Before jumping into the latest post within our discussion on vulnerabilities in the MEAN stack, look back at the first three posts discussing MongoDB, ExpressJS (Core), and ExpressJS (Sessions and CSRF). AngularJS disabled SCE service Angular 1.2 and greater include the built-in Strict Contextual Escaping service ($sce) by default. This service strips malicious HTML tags (e.g., <script>, etc.), attributes (e.g., onmouseover, onerror, etc.), and URI protocols (e.g., javascript) from data rendered as HTML with the ng-bind-html directive. This service can be disabled globally with the $sceProvider.enabled() method in the controller’s config block or per-instance with the $sce.trustAs methods. Thus, leaving the application vulnerable to cross-site scripting (XSS) attacks when binding untrusted data as HTML.

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on AngularJS: Preventing common vulnerabilities in the MEAN stack

 

Synopsys launches the Fault Injection Podcast

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. Hosts Chris Clark, Principal Security Engineer at Synopsys, and Robert Vamosi, CISSP and Security Strategist at Synopsys, provide a forum for industry experts to talk about software security topics and their intersection with specific verticals such as medical, automotive, and finance.

Continue Reading...

Posted in Web Application Security | Comments Off on Synopsys launches the Fault Injection Podcast