Stof - AppSec Stof

5 Myths of Software Composition Analysis (SCA)

Recently someone asked me to help them with an SCA tool (you know the name, I snicker a bit when I hear their name) They had a bunch of findings in the SaaS dashboard that were confusing them, it was presented really nicely showing exploit samples, what good configuration looks

BSIMM vs OWASP SAMM | Which is better?

I often get asked about how to plan a roadmap for an AppSec or DevSecOps program, and this is where the concept of a maturity model came from and the main reason they exist. What is BSIMM and OWASP SAMM?BSIMM - Building Security In Maturity Model OWASP SAMM (formerly

AppSec

Guide to Application Security tools

First, what makes a good, or great, AppSec tool? The best toolsA best tool for AppSec is implemented; in the IDE directlyas a git pre-commit hooknative to the programming language package managerbe configurable with custom rules for your businessApart from these there are some good tools too that have a

AppSec

How to start an AppSec Program

I get asked all too often: What do <insert big co.> do for AppSec?Many organizations with mature AppSec programs recommend implementing a security champions program for security training. A consistent AppSec program commonality is DevSecOps all-the-things, resulting in a lot (if not all) of AppSec engineer time

AppSec

No Bullsh*t guide to Application Security

Security is a process, not a destination. Which applies to Application Security also. Let's quickly address common AppSec mistakes; AppSec is not scanning in the CI/CD pipelinesAppSec is not security gates in the CI/CD pipelinesAppSec is not patching your dependenciesAppSec is not Vulnerability Management <– this cannot be

Security

#OnFireHawk | Firefox Accounts

HawkAuth protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API authentication methods which indicates HawkAuth is vastly more popular than you might first expect. HawkAuth protocol history The origins of HawkAuth appears to be with Eren Hammer then shortly sponsored

MS Office macros from the internet probably won't be blocked by default

The media coverage about Microsoft blocking by default macros from running in Office files from the Internet is wildly overstating the reality of this super small and almost insignificant change. Some simple facts Doesn’t affect Office 'on the web' at allThis only effects VBA macrosThis is not the same

Realistic 3 principles of AppSec and DevSecOps

Before we begin DevSecOps is analogous to AppSec for this discussion as both share the same principles even if we consider them to have certain distinctions in responcibilities or niche focus. In practice they serve the same audience, and should operate with the same 3 principles. The 3 principles1. Developer

AppSec

What are types of Cross-Site Scripting (XSS) attacks?

We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originalsStored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into some

AppSec

Vulnerability or Defect?

AppSec tooling does not find any vulnerabilities, it finds defects. But when is a defect a vulnerability?

AppSec

The 5 Myths of Application Security

The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec

WebStorage vs Cookies - Secure Session Management in 2021

Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.

Python

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be?Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug

Security

Zero-trust doesn't exist but that's OK

Where zero-trust might existScenarios that have no dataScenarios with data that are never connected to powerWhy? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity?Digital identity is the only identity. Digital identities can

Security

You don't know OWASP

About a year ago I was just getting involved with the CSA Working Group for CCM version 4 when I came across the OWASP CSA Project and went on a little adventure to learn more about OWASP. Many readers probably think they're aware of OWASP, as I once thought I

Bash

Python pip requirements.txt lock file

OverviewOpinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application. However,

Security

Private AWS S3 - How hard could that be?

Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.

Security

You're probably a Blue Team, not a Red Team

For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_

Security

Everything in AWS is an API, is it secure?

EDIT: 2020-08-01 SHA-1 Windows content to be retired in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is so effective they are going to block all TLS

Security

TLS secures my data, right?

You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of ‌‌Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) Data within the session

Security

PCI DSS - Are AWS KMS and CloudHSM suitable?

A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership

Security

Australia - Where Compliance and Regulation Obligations are Unlawful

The Australian Government's controversial encryption bill passed the Senate last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service

Security

Exploiting Orphaned Webserver Files

Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now

Security

Preparing for Independent Penetration Testing

White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for

Security

Information Security strategy tips for startups

Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.