Vulnerability or Defect?
AppSec tooling does not find any vulnerabilities, it finds defects.
But when is a defect a vulnerability?
The 5 Myths of Application Security
The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec
WebStorage vs Cookies - Secure Session Management in 2021
Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.
JWT and HMAC in the browser, safe?
Is using JWT and HMAC in the browser, safe?
How could they be?
Don't they require a pre-shared
Zero-trust doesn't exist but that's OK
Where zero-trust might exist
1. Scenarios that have no data
2. Scenarios with data that are never connected to power
You don't know OWASP
About a year ago I was just getting involved with the CSA Working Group
[https://cloudsecurityalliance.org/research/contribute/] for
Python pip requirements.txt lock file
Overview
Opinions vary on how one should make use of lock files, depending on whether the
project is the main
Private AWS S3 - How hard could that be?
Applying private routing to AWS management APIs is hard.
AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.
You're probably a Blue Team, not a Red Team
For those unfamiliar with Cybersecurity team colors, there are Blue Teams which
are the defenders, and there are Red Teams
Everything in AWS is an API, is it secure?
EDIT: 2020-08-01 SHA-1 Windows content to be retired
[https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373]
in 2 days.