1. Node.js: Put a Helmet on...

    With Node.js being all the buzz these days, I figured it was time to take a break from our normally scheduled Burp series and do a small sidebar on Helmet for Node.js. I've been working heavily in Node applications recently and realized just how common some of these "easy-fix" vulnerabilities are becoming.

    Node is an interesting beast with a budding community that is anxious to get a good handle on security; luckily, tools like Helmet provide a set of controls that can really help with that. Helmet was mentioned in Mike's last post on Javascript security tools, and if you're running a Node application, you can get some of the low-hanging fruit in the bag quickly and easily.

  2. Scala-Flavored Assortment of Play Injection Prevention Techniques, Part I: SQL

    Although many database access libraries are touted as injection-proof or secure by default, there are often plenty of exceptions in the fine print. Using the libraries in the "intended" way may magically remove the risk of injection attacks (unless there are flaws in the libraries themselves), but if you deviate from that way, you're on your own. Often, developers revert back to plain old SQL simply because they can't get their ORM to play nicely. Or, their generated code ends up being significantly slower and less efficient than churning out the SQL by hand. Or, they build apps with NoSQL databases and assume that NoSQL = No Problem.

    In this three-part series, we'll walk through the secure way to implement a few popular libraries for accessing databases and caches within Scala web applications. We'll focus on libraries commonly used in Play web applications targeting SQL databases, MongoDB, Redis, Apache Hive, and Apache Cassandra.

    If you've never heard of Injection or one of its most notorious variants (SQL Injection) before, start here first: https://www.owasp.org/index.php/SQL_Injection.

  3. 5 Tips for Secure, Online Shopping

    With the holiday season in full swing, more folks are shopping online than any other time of the year. With the recent breaches of Target and Home Depot, many consumers are beginning to understand the need for exercising caution when shopping online.

    This blog post will highlight a few tips and tricks to help consumers stay secure when shopping online.

  4. Synergies in Application Security Vulnerabilities: Part I

    As a self-proclaimed tech-junkie and a professional penetration tester, I have often been asked, "What is the most critical vulnerability you have come across?" The difficulty in answering a question like this is that the severity of a vulnerability depends on the context of the attack--discovering a DOM-based Cross-Site Scripting vulnerability in an otherwise secure application may earn a hacker bragging rights amongst his or her peers, but the finding might not be useful for exploiting sensitive data. Similarly, two simpler vulnerabilities used together could give someone full control over an entire application.

    Here are a few common vulnerabilities that work well together:

  5. SecCasts is Free. Why?

    A few weeks ago we decided to make SecCasts, a pay-for application security training site, free. Why?

  6. Developing Secure Applications with Golang

    One topic that should come up more often (but doesn't) when considering new languages and frameworks is how secure they can be out of the box. Developers often consider things like performance, ease of use, and compatibility before starting a software project with a new framework. However, out-of-the-box security is an important feature to consider as well. It's easy to overlook how some of the default settings can leave holes open, especially for new developers, so framework authors should focus on making these as secure as possible right from the beginning.