Application Security

3/28/2014
09:00 AM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Flying Naked: Why Most Web Apps Leave You Defenseless

Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
2 of 2

2 of 2
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
AnhT053
50%
50%
AnhT053,
User Rank: Apprentice
9/5/2014 | 11:18:07 PM
http://www.playkix.net/
I enjoyed your article .. thank you for allowing her to share comments
lazydogtown
100%
0%
lazydogtown,
User Rank: Apprentice
4/6/2014 | 2:18:03 PM
> To state the obvious ... a decent waf would have blocked the morse-attack
> To state the obvious, there is no product on the planet that stops attacks in Morse code.

nope; a decent WAF like  naxsi would have blocked at least the morsecode-request with its core-ruleset

/know-it-all-mode off :D

 

yes, i know, a WAF is less than a plaster for insecure webapps and cannot protect from stupidity.

--ld
bamchenry
100%
0%
bamchenry,
User Rank: Apprentice
4/2/2014 | 11:48:22 AM
Re: Large-Scale AppSec Programs
I have seen the "continuous" approach to AppSec be addressed by the DevOps model for IT, by creating a format for security teams to have input into the software development lifecycle (SDLC). At a scale of hundreds, much less thousands, of web applications, the challenge is balancing security with manageability, usability, and development velocity. Tailoring your application security practice at an app-by-app level is only tenable if there are few apps, so there are going to be some compromises in the name of manageability, usability, and dev velocity.
planetlevel
100%
0%
planetlevel,
User Rank: Author
4/1/2014 | 4:10:18 PM
Re: Large-Scale AppSec Programs
All, you might find the talk I did at OWASP AppSecUSA this year interesting. It's called "AppSec at DevOps Speed and Portfolio Scale."  There are a lot more ideas about how to create a scalable, realtime, and most importantly CONTINUOUS appsec capability.  --Jeff
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/1/2014 | 4:05:14 PM
Re: Large-Scale AppSec Programs
@wire and @planetlevel - The Dark Reading community would also be interested in hearing about your appsec scaling experience, so please share your experience on the message boards if you can!
planetlevel
100%
0%
planetlevel,
User Rank: Author
4/1/2014 | 3:38:06 PM
Re: Large-Scale AppSec Programs
@wire - I'd love to find out more about how you scaled up your appsec program continuously.  I think there are many organizations that could benefit from your experiences.  Would you be willing to discuss with me for a few minutes? If so, please reach out at [email protected] and we can set something up.  I'm gathering data for a future blog.  Thanks --Jeff
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 3:32:37 PM
Re: Continuous application security approach
Not really on the back burner but the decision has been made to push back "go live" date until app is fixed and retested. This makes all involved with deployment pay attention to details. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 3:25:10 PM
Re: Continuous application security approach
thanks. I can see how important app security must be in the financial sector! How often in the last couple of years have you actually put a web app on the back burner until insecure coding is fixed. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 3:18:22 PM
Re: Continuous application security approach
We have been doing this for the last 10 years at least, one challenge is to make sure developers use secure coding techniques it helps the security testers to develop a best practices approach to their whole web app program. This approach must have buy in from management because when vulnerabilities are found the decision must be made to not go live until remediation is complete. The business reputation depends on it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 3:09:48 PM
Re: Continuous application security approach
Thanks, Randy. How long have you been folloowing these practices? What has been your biggest challenges and successes?
Page 1 / 2   >   >>
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6700
PUBLISHED: 2018-09-24
DLL Search Order Hijacking vulnerability in Microsoft Windows Client in McAfee True Key (TK) before 5.1.165 allows local users to execute arbitrary code via specially crafted malware.
CVE-2018-15615
PUBLISHED: 2018-09-24
A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x.
CVE-2018-6682
PUBLISHED: 2018-09-24
Cross Site Scripting Exposure in McAfee True Key (TK) 4.0.0.0 and earlier allows local users to expose confidential data via a crafted web site.
CVE-2018-17368
PUBLISHED: 2018-09-23
An issue was discovered in PublicCMS V4.0.180825. For an invalid login attempt, the response length is different depending on whether the username is valid, which makes it easier to conduct brute-force attacks.
CVE-2018-17369
PUBLISHED: 2018-09-23
An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter.