Collaborate Disseminate
Recently, I moderated round table discussions between dozens of CISOs at Evanta CISO Summits in Chicago and Atlanta. My colleague, Michelle Dufty, moderated a similar event in San Francisco.
The post Three DevSecOps Lessons Drawn from Conversation… Continue reading Three DevSecOps Lessons Drawn from Conversations with 45 CISOs
I’m looking for the best way to secure unauthorized redirects from GET parameter where
url=http://example.com
I’m thinking about creating an unique identifier like using a hashing function (md5 for example) and check whether hash(url) … Continue reading What is the ideal technique to protect unauthorized redirects
The idea would be to wrap a server-side IMAP client in a wrapper that transforms IMAP authentication into a web API for authentication (maybe OAuth?). When the back-end application receives credentials, it then passes them onto IMAP withou… Continue reading Anything wrong with using IMAP as authentication for a web app to achieve a kind of easy SSO?
Let’s say there is an XSS vulnerability in an application, and the application is not using any kind of CSRF token, just using the referer header to protect against CSRF. Referer header is validating properly. So in this case can we bypass… Continue reading If an application has an XSS vulnerabilty, can we bypass CSRF with referer header?
This report summarizes Contrast Labs’ analysis of real world application attack and vulnerability data from December 2019. By providing continuous insight and detection from inside applications, Contrast can identify and trend the way that attacke… Continue reading DECEMBER 2019 AppSec Intelligence Report
Is there any website or newsletter where I can track all the security issues related to C/C++?
Continue reading Tracking C/C++ Security issues on daily basis [closed]
I received a report from the security team today. The report contains the below mentioned vulnerabilities and descriptions:
1) Poor Error Handling: Overly Broad Throws
The methods in program1.java throws a generic exception making… Continue reading Poor error handling source code review
At my company, we have a new development team that has been completely rewriting all of the code for different parts of the system.
I’ve noticed that with one of the recent changes, you can now see the JSON data for all of t… Continue reading Code Change That Resulted in Database Fields and Values Exposed
I have been looking at OWASP and other forms of checklists on testing web applications. One of the best practices is to ensure session IDs generated are sufficiently random and unpredictable.
Assuming that I am a corporate end user withou… Continue reading Testing web applications from an end user’s perspective
Do I understand correctly that Application Layer Gateways act as proxies which are able to fully read an encrypted connection of a client behind such an ALG, with the scope of removing e.g. malware by looking into the applica… Continue reading Are Application Layer Gateways simply proxies removing malware? [closed]