Last week I was able to talk about some of my DevOps experiences at the March 2015 DevOpsDC Meetup. I told the story about how we took a project that was just starting Agile and was deploying a risky release to production every 6 months or so, and over 4+ years brought it to deploying […]
I understand the plight of senior executives, I really do. Most don’t have a software background and that makes it difficult for them to fully understand application security. But when security breeches are caused by basic, simple code vulnerabilities that can be found using readily available tools, it makes me wonder how serious businesses even […]
Kali Linux (http://www.kali.org) is a collection of free penetration testing and security auditing tools, all packaged into a single Linux distribution.
As one of our resident security guys, I thought I might write up a quick guide about what not to do with password management. As long as you build a website or web service, at some point you’re most likely going to have to store a password. Unfortunately for many developers out there (in organizations […]
So I run a server at home hosting several sites, including a few personal sandboxes for development. I went to check one of sites, and noticed it was taking an incredibly long time to load. When I logged into the machine, I got the dreaded Usage of /: 99.9% of 27.50GB disk space error. Now, […]
I was working on a SharePoint DoD project, due to security requriements(STIG) it needed to display a disclaimer notice banner when a user initiates a session with the SharePoint Site. This solution tells how to customize and deploy the SharePoint Global.asax that triggers the new session start event to display the disclaimer notice banner. This solution was split into two SharePoint […]
As part of my ongoing collection of reviews and thoughts on today’s Security Testing Tools, I’m taking a look at the Zed Attack Proxy (ZAP) by OWASP. While, my last review of WebSecurify, looked at a very simplistic tool for Web Application Security Testing, this review will bring us a slightly more complex tool. So where […]
I recently published an article about using CAT.NET security scanner on your .NET web application. Once you get it running, it’s fairly simple to integrate it into your continuous integration process. Our strategy here will be to use a down-stream job in Hudson to run static security analysis on our application build after the main compilation/packaging […]
Fuzz testing or Fuzzing, a technique originated in 1988 by Professor Barton Miller at the University of Wisconsin, is a software testing technique where invalid, unexpected, and or random data is input into the system at various levels in an effort to uncover unexpected system behaviors and system failures including system crashes, failing code assertions, […]
One of the biggest trends in issues in web application testing today is Security Testing. Most people know their web application is important for their business; no one wants a big security breach. With hackers becoming more and more sophisticated, and vulnerabilities becoming easier and easier to exploit the odds are not in your favor. […]
