Blog

  1. Scala-Flavored Assortment of Play Injection Prevention Techniques, Part I: SQL

    Although many database access libraries are touted as injection-proof or secure by default, there are often plenty of exceptions in the fine print. Using the libraries in the "intended" way may magically remove the risk of injection attacks (unless there are flaws in the libraries themselves), but if you deviate from that way, you're on your own. Often, developers revert back to plain old SQL simply because they can't get their ORM to play nicely. Or, their generated code ends up being significantly slower and less efficient than churning out the SQL by hand. Or, they build apps with NoSQL databases and assume that NoSQL = No Problem.

    In this three-part series, we'll walk through the secure way to implement a few popular libraries for accessing databases and caches within Scala web applications. We'll focus on libraries commonly used in Play web applications targeting SQL databases, MongoDB, Redis, Apache Hive, and Apache Cassandra.

    If you've never heard of Injection or one of its most notorious variants (SQL Injection) before, start here first: https://www.owasp.org/index.php/SQL_Injection.

  2. 5 Tips for Secure, Online Shopping

    With the holiday season in full swing, more folks are shopping online than any other time of the year. With the recent breaches of Target and Home Depot, many consumers are beginning to understand the need for exercising caution when shopping online.

    This blog post will highlight a few tips and tricks to help consumers stay secure when shopping online.

  3. Synergies in Application Security Vulnerabilities: Part I

    As a self-proclaimed tech-junkie and a professional penetration tester, I have often been asked, "What is the most critical vulnerability you have come across?" The difficulty in answering a question like this is that the severity of a vulnerability depends on the context of the attack--discovering a DOM-based Cross-Site Scripting vulnerability in an otherwise secure application may earn a hacker bragging rights amongst his or her peers, but the finding might not be useful for exploiting sensitive data. Similarly, two simpler vulnerabilities used together could give someone full control over an entire application.

    Here are a few common vulnerabilities that work well together:

  4. SecCasts is Free. Why?

    A few weeks ago we decided to make SecCasts, a pay-for application security training site, free. Why?

  5. Developing Secure Applications with Golang

    One topic that should come up more often (but doesn't) when considering new languages and frameworks is how secure they can be out of the box. Developers often consider things like performance, ease of use, and compatibility before starting a software project with a new framework. However, out-of-the-box security is an important feature to consider as well. It's easy to overlook how some of the default settings can leave holes open, especially for new developers, so framework authors should focus on making these as secure as possible right from the beginning.

  6. The AppSec Newb’s Journey Part II: Lessons I’ve Learned

    In the AppSec Newb's Journey series, I want to provide a starting point for those interested in AppSec but may not know where to start. This is the second part of the blog series, so please read Part I if you haven't done so already.

    This past year has led me on an incredible voyage through the world of Application Security. I've had so many new experiences, gained so many skills and so much knowledge, and established a foundation for me to further build my career and passion. Naturally, this journey had many bumps, but that's necessary in any learning process. These are a few critical lessons that you should take to heart when starting out in this field. In no particular order…