Comments
Flying Naked: Why Most Web Apps Leave You Defenseless
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
AnhT053
50%
50%
AnhT053,
User Rank: Apprentice
9/5/2014 | 11:18:07 PM
http://www.playkix.net/
I enjoyed your article .. thank you for allowing her to share comments
lazydogtown
100%
0%
lazydogtown,
User Rank: Apprentice
4/6/2014 | 2:18:03 PM
> To state the obvious ... a decent waf would have blocked the morse-attack
> To state the obvious, there is no product on the planet that stops attacks in Morse code.

nope; a decent WAF like  naxsi would have blocked at least the morsecode-request with its core-ruleset

/know-it-all-mode off :D

 

yes, i know, a WAF is less than a plaster for insecure webapps and cannot protect from stupidity.

--ld
bamchenry
100%
0%
bamchenry,
User Rank: Apprentice
4/2/2014 | 11:48:22 AM
Re: Large-Scale AppSec Programs
I have seen the "continuous" approach to AppSec be addressed by the DevOps model for IT, by creating a format for security teams to have input into the software development lifecycle (SDLC). At a scale of hundreds, much less thousands, of web applications, the challenge is balancing security with manageability, usability, and development velocity. Tailoring your application security practice at an app-by-app level is only tenable if there are few apps, so there are going to be some compromises in the name of manageability, usability, and dev velocity.
planetlevel
100%
0%
planetlevel,
User Rank: Author
4/1/2014 | 4:10:18 PM
Re: Large-Scale AppSec Programs
All, you might find the talk I did at OWASP AppSecUSA this year interesting. It's called "AppSec at DevOps Speed and Portfolio Scale."  There are a lot more ideas about how to create a scalable, realtime, and most importantly CONTINUOUS appsec capability.  --Jeff
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/1/2014 | 4:05:14 PM
Re: Large-Scale AppSec Programs
@wire and @planetlevel - The Dark Reading community would also be interested in hearing about your appsec scaling experience, so please share your experience on the message boards if you can!
planetlevel
100%
0%
planetlevel,
User Rank: Author
4/1/2014 | 3:38:06 PM
Re: Large-Scale AppSec Programs
@wire - I'd love to find out more about how you scaled up your appsec program continuously.  I think there are many organizations that could benefit from your experiences.  Would you be willing to discuss with me for a few minutes? If so, please reach out at [email protected] and we can set something up.  I'm gathering data for a future blog.  Thanks --Jeff
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 3:32:37 PM
Re: Continuous application security approach
Not really on the back burner but the decision has been made to push back "go live" date until app is fixed and retested. This makes all involved with deployment pay attention to details. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 3:25:10 PM
Re: Continuous application security approach
thanks. I can see how important app security must be in the financial sector! How often in the last couple of years have you actually put a web app on the back burner until insecure coding is fixed. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
3/31/2014 | 3:18:22 PM
Re: Continuous application security approach
We have been doing this for the last 10 years at least, one challenge is to make sure developers use secure coding techniques it helps the security testers to develop a best practices approach to their whole web app program. This approach must have buy in from management because when vulnerabilities are found the decision must be made to not go live until remediation is complete. The business reputation depends on it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 3:09:48 PM
Re: Continuous application security approach
Thanks, Randy. How long have you been folloowing these practices? What has been your biggest challenges and successes?
Page 1 / 2   >   >>


12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.