As we discussed in Part 1 of this post, Dynamic Application Security Testing (DAST) is often the first step that many organizations take when embracing application security.
Yet we learned that most DAST tools do not provide reliable results without being tuned for the specific application being tested. What does that mean for most organizations?
Dynamic Application Security Testing (DAST) is often the first step that many organizations take when embracing application security.
Dynamic analysis (often referred to as black-box testing) is categorized by testing a running web application (as opposed to static, non-running source code). A DAST tool is usually a scanner that is designed to send malformed and malicious HTTP requests to your application, then interpret the responses and detect potential vulnerabilities.
However, despite how they may be sold, most DAST tools will not provide reliable results without being tuned for the specific application being tested.
A few weeks ago my friend (1) and I attended a hackathon sponsored by a local ISSA chapter (2). The hackathon was a hands-on event where participants learned about common web application vulnerabilities in a fun, gamified environment. The technical platform for this hackathon was provided by Security Innovation (3).
At the end of the event, the two of us finished first and second, with nearly half of the available points each. Security Innovation, however, graciously kept the game open for a few more days to give the participants an opportunity to continue to play and learn.
We used this opportunity to find and exploit more vulnerabilities in the application, and ultimately discover the one that allowed us to completely own the application server.
During a project working with Hydra, a Network Login Auditor, we discovered and corrected a buffer overrun issue with possible security implications that might include the auditor being attacked by the auditee.
TL;DR Attacker using Hydra or Medusa can get pwn'd by the victim website responding with remote code execution via buffer overrun exploit.
For those who weren't able to attend GrrCon 2016, here's Aspect's Tony Miller, Principal Application Security Engineer, speaking about intelligent AppSec prioritization at the conference.
On November 6, Stephen Breen of Foxglove Security (@breenmachine) published a blog post outlining vulnerabilities in components of several Java Web Application Servers (WebSphere, JBoss, and WebLogic) as well as a popular development automation framework (Jenkins).
All of these vulnerabilities follow a similar pattern. And as worrying as that is, it's only the tip of the iceberg (as Foxglove’s post articulates).
So what can you do? This blog post will provide background and information on how to defend against vulnerabilities in Java serialization introduced by Apache Commons Collections affecting common Web App Servers such as WebSphere, JBoss, and Web Logic, as well as common applications like Jenkins.
For those who weren't able to attend AppSec USA, OWASP has kindly been posting session recording on their YouTube channel. Here's Aspect's CEO, John Pavone, speaking at AppSec USA 2015!
I am very excited about the Women in AppSec (WIA) program at the AppSec USA 2015 conference. This year, WIA is hosting a panel of speakers who will be talking about how to encourage gender diversity in information security. Additionally, WIA is sponsoring a series of Birds of a Feather sessions during the day on Thursday where anyone (you too!) can suggest meet-up topics in real-time at the conference.
As part of our panel, WIA was able to raise enough funds to bring two speakers based in India to the conference, Apoorva Giri and Shruthi Kamath, to discuss their organization, InfoSec Girls.
Cross-Site Request Forgery, also known as CSRF and XSRF, is a type of attack that has been around for years and we know how to prevent it. Yet we still find this vulnerability in hundreds of assessments and penetration tests every year.
In this post, we want to make developers aware of the vulnerability and its significance, show how a hacker can perform an attack against a sample application, and (most importantly) explain how you can protect an application from this style of attack by using controls built-in to the ASP.NET MVC framework.
NIST released thier publication Vetting the Security of Mobile Applications (SP 800-163) in January as a high-level guide for organizations creating secure mobile applications.
I’ve spent some time with the document and it does an excellent job outlining why mobile application security must be vetted at an organization. However, the publication’s misses the mark in two very important areas: manual testing and server side controls.