May
13
Vulnerability or Defect?
AppSec tooling does not find any vulnerabilities, it finds defects.
But when is a defect a vulnerability?
3 min read
Latest
Apr
03
The 5 Myths of Application Security
The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec
6 min read
Mar
21
WebStorage vs Cookies - Secure Session Management in 2021
Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.
8 min read
Jan
03
JWT and HMAC in the browser, safe?
Is using JWT and HMAC in the browser, safe?
How could they be?
Don't they require a pre-shared
3 min read
Oct
04
Zero-trust doesn't exist but that's OK
Where zero-trust might exist
1. Scenarios that have no data
2. Scenarios with data that are never connected to power
7 min read
Aug
01
You don't know OWASP
About a year ago I was just getting involved with the CSA Working Group
[https://cloudsecurityalliance.org/research/contribute/] for
5 min read
Jul
25
Python pip requirements.txt lock file
Overview
Opinions vary on how one should make use of lock files, depending on whether the
project is the main
3 min read
Jun
17
Private AWS S3 - How hard could that be?
Applying private routing to AWS management APIs is hard.
AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.
6 min read
Jun
13
You're probably a Blue Team, not a Red Team
For those unfamiliar with Cybersecurity team colors, there are Blue Teams which
are the defenders, and there are Red Teams
5 min read
Jun
07
Everything in AWS is an API, is it secure?
EDIT: 2020-08-01 SHA-1 Windows content to be retired
[https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373]
in 2 days.
20 min read