Application Security

3/28/2014
09:00 AM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Flying Naked: Why Most Web Apps Leave You Defenseless

Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
2 of 2

2 of 2
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 3:05:39 PM
Re: Continuous application security approach
I work in the banking/finance industry and we test "all" web apps prior to being deployed, it is a necessity and any findings that are in the high or medium categories have to be fixed before going live. We test and code according to the OWASP secure coding practices which takes to time for developers to adhere to. This approach helps us.
WireHarborSec
50%
50%
WireHarborSec,
User Rank: Apprentice
3/31/2014 | 12:37:25 PM
Large-Scale AppSec Programs
In my previous role I managed the appsec team with a company who's portfolio spanned over 3K applications. The *only* way to scale appsec programs to this size is by using a continuous-type approach. Internal pen-testing teams cannot keep up. 

Add in agile development methodology and it gets even more chaotic. 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/29/2014 | 11:20:43 PM
Re: Continuous application security approach
I know from being in the Healthcare Industry that application security is a large concern. My team has not been able to test app security continuously because for us there are regulations that make it increasingly difficult. This is why continuous network security is the main focal point, but as the article delineates, this does not have much effect on the app vulnerabilities.

For my previous statement regarding regulations making this difficult, take into account the following healthcare scenario that happens quite often. An FDA approved device can perform a medical task. This device needs to be used and functionality is the biggest proponent when creating these devices. This device has a software counterpart that not "speaks" to the device to extract data. The computer software can be locked down via LDAP/ other authentication methods etc but what about any software direclty on the device. Currently, many devices can be considered "smart" devices in which they have their own software directly on the device to handle and transmit data through many mediums. Many FDA devices cannot not handle multiple security safeguards and are initally barely locked down at launch making them increasingly harder to secure. Has anyone had a similar situation in their line of work and how have they handled this situation?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/28/2014 | 12:51:23 PM
Continuous application security approach
Curious to know how common -- or uncommon -- it is for organizations to take a "continuous security approach." What are some of the biggest challenges? Who within the Dark Reading community has considered or attempted such a strategy? 
<<   <   Page 2 / 2
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page &quot;/ui/cbpc/login&quot; is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie &quot;sid&quot; generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.