The video below demonstrates how to test a mobile application for remote authentication vulnerabilities. For this demonstration, I used a mobile application called iGoat. iGoat is designed for the iOS platform and functions as a learning tool for iOS developers. iGoat is a safe environment in which iOS developers can gain knowledge about the major […]
For a variety of reasons, a lot of companies are moving to an Agile, DevOps Culture, Continuous Integration and Delivery/Deployment (CI/CD) model. These transformations rely on a variety of tools, including open source. A lot of organizations also use open source tools and libraries to develop their applications and in order to ensure security, these […]
Some of you may be familiar with the Hippocratic Oath common in the medical field, often paraphrased as “Do no harm.” In a light-hearted casual conversation with a colleague the other day, I realized that we need a similar oath in the field of software development: “Don’t make it worse.”
This is a two part post where I will show you how to setup development environment locally. We will start with Vagrant and Virtual Box and their initial setup. Then we will jump into multi-machine setup and provisioning using Puppet. You will also see how Database and WebApp VMs can work together. Vagrant and Virtual […]
In a previous blog I went over how to set up headless tests on a centos machine; in this blog, I will be going over how to introduce this machine into a continuous integration environment via Jenkins. The first thing that we need to do is install the Xvfb plugin on the Jenkins instance, which […]
Subversion or SVN is a version control system that has been around for over 15 years and was the industry standard before the arrival of Git. Although Git is far superior to SVN, a lot of places are still tied to SVN for any number of reasons. I was exposed to and worked with only […]
I am a big fan of static analysis and formatting tools. I just like my code to be as clean as possible. At the very least, being clean makes the code easier to read and maintain. If I can find a tool that will make it easy for me to keep my code clean, I’ll […]
As one of our resident security guys, I thought I might write up a quick guide about what not to do with password management. As long as you build a website or web service, at some point you’re most likely going to have to store a password. Unfortunately for many developers out there (in organizations […]
One of the items on the 2013 OWASP Top Ten is “Using Components with Known Vulnerabilities.” It is new on this year’s list, debuting at number 9. OWASP lists at as being widespread and difficult to detect. The issue is that modern software is made up of dozens, if not hundreds, of third-party components. Even […]
Testing applications and web sites that send email can be difficult. During testing you might generate many email notifications and you don’t want to flood a real mailbox. Or you might not want email from a development system being confused for production email. And especially when using production data during development, you might want to […]
