Mitigating Cross-Site Request Forgery (CSRF) Attacks

Cross-Site Request Forgery, also known as CSRF and XSRF, is a type of attack that has been around for years and we know how to prevent it.  Yet we still find this vulnerability in hundreds of assessments and penetration tests every year.

In this post, we want to make developers aware of the vulnerability and its significance, show how a hacker can perform an attack against a sample application, and (most importantly) explain how you can protect an application from this style of attack by using controls built-in to the ASP.NET MVC framework.

Is Your Mobile Security Puzzle Missing a Piece?

NIST released thier publication Vetting the Security of Mobile Applications (SP 800-163) in January as a high-level guide for organizations creating secure mobile applications.

I’ve spent some time with the document and it does an excellent job outlining why mobile application security must be vetted at an organization. However, the publication’s misses the mark in two very important areas: manual testing and server side controls.

Open SAMM Rides Again!

OpenSAMM (Software Assurance Maturity Model) v1.0 was released just over 6 years ago. It was one of the first projects of its kind to take on the large challenge of measuring software assurance maturity. Since then it has been used by organizations and application security companies to evaluate their software assurance efforts.  Fast forward to 2015, SAMM is once again in the news.

PolarSSL Security Snowstorm - Tools Could Not Save Us

The spat of SSL and TLS issues over the last year have caused concern about the quality of the encrypted tunnel in Internet communications. The various creatively named BEAST, CRIME, & POODLE attacks against SSLv3 have effectively killed the entire SSLv3 protocol. Bugs in different encryption libraries have created additional means of exploit, such as with OpenSSL's HeartBleed affecting TLS and Apple's GotoFail SSL and (partial) TLS attack. In these cases, the TLS protocol itself is safe, but the implementation of TLS reduced the overall level of protection.

Why your application security program may backfire

You have to consider the human factor when you're designing security interventions, because the best intentions can have completely opposite consequences.

In security we have a saying: “Why do cars have brakes? So they can stop? No, so they can go fast!” Practiced badly, security can bring successful software projects to a screeching halt. Creating “security gates” for software projects, compliance reviews, and reporting phantom “false alarm” risks can kill a healthy relationship between security and development teams. But security doesn’t have to be about hindering business. Done right, application security programs are designed to get people working together in a way that is compatible with software development. The goal is to find solutions that allow business to go fast and be secure.

3 Reasons Investing in Application Security eLearning Pays Dividends

Whether you're looking for application security training for a small department or a large development organization, eLearning delivers high-quality content at an affordable price point.

Earlier this year, IBM released The Value of Training, a report that details specific ways training positively impacts the bottom line: 71% of CEOs from 70 countries cited human capital as the leading source of sustained economic value. Making an investment in training yields increases in employee retention, employee performance, and business performance.

The Only Two Things Every Developer Needs to Know About Injection

There's no simple solution for preventing injection attacks. There are effective strategies that can stop them in their tracks.

Security is pretty easy, right? If there’s a threat, we put in a defense. Sometimes we can centralize these defenses. For example, you might use an authentication gateway to restrict access to your web applications and web services. Unfortunately, the defenses for "injection” attacks don’t centralize so well, which has made them one of the most popular attack vectors.

Six Reasons to Attend AppSec USA's Mobile Security Training

Mobile Security As A Remote Employee

Like other remote employees with a home office in a small community, my cell phone is my lifeline to the outside world. Unless I'm onsite working for a client, I'm hunkered in my home office working on research and outstanding requests. My cell phone is the link to the outside world. And if I'm catching a meeting on the fly, I need to know that I am secure.

The mobile world requires a different approach from that of web applications when it comes to developing and testing security controls. While many of the tools-of- the trade are the same, you have to accommodate an entirely new architecture and approach. Given the various aspects of mobile access management, mobile device management, mobile forensics and the internet of things, all of these parts need to play together and everything must be secure. That's why I started the mobile practice division at Aspect Security five years ago, and why I teach it as often as occasion permits.

HTTP Strict Transport Security (HSTS): Is Strict Transport Too Strict For The Web?

HTTP Strict Transport Security, also called HSTS or simply STS, is a (relatively) new HTTP extension defined in RFC-6797. In short, HSTS is aimed at preventing a certain class of attacks, so before we dive into what HSTS does and how it's enforced, let's look at what it is aimed at stopping.

On Recent SSL Library Woes

The discussion of the last two weeks has been swirling around the revelation that Apple’s SSL library includes broken certificate validation. However, yesterday we learned that gnutls has a similar issue affecting certificate verification. Before we get into “solutions,” let’s take a quick look at the vulnerabilities themselves.

Apple’s issue, as covered by the aforementioned Imperial Violet article boils down to three lines of code: