A brief on Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) attacks, capable of duping a user into performing an unintended action, are a ubiquitous menace in the domain of web security. These attacks cunningly exploit the inherent trust of a site in a user's browser, compelling it to carry out
Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're your firstborn child, and always, always validate those JWTs like your life depends on it. And for goodness' sake, keep your sensitive information under lock and key! Benefits Imagine you are a
Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that many so-called JWT experts (and everyone else) assume are "a thing" that really are just hand-waving nonsense. Starting with; verify is not validation YUK WORD verify Verify vs Validation A
Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021 and followed up with a podcast interview released today. One thing David is excellent at describing developer benefits, and developer-centric Patterns and Anti-Patterns when using JWT. If you are an
Recently someone asked me to help them with an SCA tool (you know the name, I snicker a bit when I hear their name) They had a bunch of findings in the SaaS dashboard that were confusing them, it was presented really nicely showing exploit samples, what good configuration looks
First, what makes a good, or great, AppSec tool? The best tools A best tool for AppSec is implemented; * in the IDE directly * as a git pre-commit hook * native to the programming language package manager * be configurable with custom rules for your business Apart from these there are some good
I get asked all too often:
What do
Security is a process, not a destination. Which applies to Application Security also. Let's quickly address common AppSec mistakes; * AppSec is not scanning in the CI/CD pipelines * AppSec is not security gates in the CI/CD pipelines * AppSec is not patching your dependencies * AppSec is not Vulnerability Management <– this
We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originals Stored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into
AppSec tooling does not find any vulnerabilities, it finds defects. But when is a defect a vulnerability?
The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec
