Understanding Session Management – One of OWASP Top 10 (Part 2)
Application Security Review Process – A Case Study
Welcome to the second half of my two-part blog on Understanding Session Management. In part 1, we covered what was session management and started digging into some possible attack types associated with this vulnerability. Here we will continue to look into other associated attack types. 4. Cross-Site Request Forgery (CSRF) – Severity: High “Cross-Site Request […]
Dependency Checking Your Ruby Application
What is application security, or AppSec? Let’s talk about web application security first. OWASP was created in 2001 and has been known as the best community for web application security. Volumes of online resources for web application security defects, security testing, and security projects have been produced by OWASP. Yet web application security is only […]
Database Security – A Pentester’s Notes
What is WAF?
One of the most prevalent issues that continue to vex application developers is weaknesses in database security that open us to exploit. Database security is a broad subject, and I will not cover all the security issues here but want to provide context and understanding around some of the more comment vulnerabilities. In this blog, […]
What is SCA?
Before diving into WAF security, it’s important to note the difference between web servers and application servers. A web server is internet facing on the front end, while an application server is where the code resides and is not internet facing. Between the web server and app server, all the HTTPs encrypted data is decrypted […]
What is RASP?
SCA stands for Software Composition Analysis. It’s a technique where you try to analyze the dependencies that your application includes to make sure that they don’t have any known vulnerabilities. In fact, up to 80% of the components that we include in our applications have some known vulnerability in them which can expose our applications […]
What is IAST?
RASP stands for Runtime Application Self Protection. Like IAST it’s agent based, so it watches your software run and tries to determine if something is attacking it. The goal of IAST is to try to determine if something’s attacking it by a certain behavior. RASP adds a layer to that by recognizing something’s attacking it […]
What is DAST?
IAST stands for Interactive Application Security Testing. The basic idea is that you have software that watches your application running, usually in a Java or .NET world that uses what’s called the profiling API, and it watches everything that happens in your application and tries to determine if that activity is somehow attacking the software. […]
What is SAST?
DAST stands for Dynamic Application Security Testing, and it’s a blackbox suite of tools that really look at web applications on the front end. DAST looks at a running application looking for potential security vulnerabilities, architectural weaknesses, SQL injection, and cross-site scripting, among other security risks in the OWASP Top Ten. How is SAST different […]
SAST stands for Static Application Security Testing. SAST look through application source code for security defects, different issues written into the source code, and how the application is actually programmed to identify vulnerabilities that then have the potential being exploited. How is SAST different from DAST? SAST typically takes less time than running DAST, and […]