Aspect Security's AppSec Blog

Accidental Offensive Security: Analysis of Buffer Overrun in a Security Tool

During a project working with Hydra, a Network Login Auditor, we discovered and corrected a buffer overrun issue with possible security implications that might include the auditor being attacked by the auditee.

TL;DR Attacker using Hydra or Medusa can get pwn'd by the victim website responding with remote code execution via buffer overrun exploit.

What's in your Top Ten? Intelligent Application Security Prioritization

For those who weren't able to attend GrrCon 2016, here's Aspect's Tony Miller, Principal Application Security Engineer, speaking about intelligent AppSec prioritization at the conference. 

Deserialization Attacks via Apache Commons Collections

On November 6, Stephen Breen of Foxglove Security (@breenmachine) published a blog post outlining vulnerabilities in components of several Java Web Application Servers (WebSphere, JBoss, and WebLogic) as well as a popular development automation framework (Jenkins). 

All of these vulnerabilities follow a similar pattern. And as worrying as that is, it's only the tip of the iceberg (as Foxglove’s post articulates)

So what can you do? This blog post will provide background and information on how to defend against vulnerabilities in Java serialization introduced by Apache Commons Collections affecting common Web App Servers such as WebSphere, JBoss, and Web Logic, as well as common applications like Jenkins. 

Ah Mom, Why Do I Need To Eat My Vegetables?

For those who weren't able to attend AppSec USA, OWASP has kindly been posting session recording on their YouTube channel.  Here's Aspect's CEO, John Pavone, speaking at AppSec USA 2015!

Women in AppSec Program 2015 

I am very excited about the Women in AppSec (WIA) program at the AppSec USA 2015 conference. This year, WIA is hosting a panel of speakers who will be talking about how to encourage gender diversity in information security. Additionally, WIA is sponsoring a series of Birds of a Feather sessions during the day on Thursday where anyone (you too!) can suggest meet-up topics in real-time at the conference.

As part of our panel, WIA was able to raise enough funds to bring two speakers based in India to the conference, Apoorva Giri and Shruthi Kamath, to discuss their organization, InfoSec Girls.

Mitigating Cross-Site Request Forgery (CSRF) Attacks

Cross-Site Request Forgery, also known as CSRF and XSRF, is a type of attack that has been around for years and we know how to prevent it.  Yet we still find this vulnerability in hundreds of assessments and penetration tests every year.

In this post, we want to make developers aware of the vulnerability and its significance, show how a hacker can perform an attack against a sample application, and (most importantly) explain how you can protect an application from this style of attack by using controls built-in to the ASP.NET MVC framework.

Is Your Mobile Security Puzzle Missing a Piece?

NIST released thier publication Vetting the Security of Mobile Applications (SP 800-163) in January as a high-level guide for organizations creating secure mobile applications.

I’ve spent some time with the document and it does an excellent job outlining why mobile application security must be vetted at an organization. However, the publication’s misses the mark in two very important areas: manual testing and server side controls.

Open SAMM Rides Again!

OpenSAMM (Software Assurance Maturity Model) v1.0 was released just over 6 years ago. It was one of the first projects of its kind to take on the large challenge of measuring software assurance maturity. Since then it has been used by organizations and application security companies to evaluate their software assurance efforts.  Fast forward to 2015, SAMM is once again in the news.

PolarSSL Security Snowstorm - Tools Could Not Save Us

The spat of SSL and TLS issues over the last year have caused concern about the quality of the encrypted tunnel in Internet communications. The various creatively named BEAST, CRIME, & POODLE attacks against SSLv3 have effectively killed the entire SSLv3 protocol. Bugs in different encryption libraries have created additional means of exploit, such as with OpenSSL's HeartBleed affecting TLS and Apple's GotoFail SSL and (partial) TLS attack. In these cases, the TLS protocol itself is safe, but the implementation of TLS reduced the overall level of protection.

Why your application security program may backfire

You have to consider the human factor when you're designing security interventions, because the best intentions can have completely opposite consequences.

In security we have a saying: “Why do cars have brakes? So they can stop? No, so they can go fast!” Practiced badly, security can bring successful software projects to a screeching halt. Creating “security gates” for software projects, compliance reviews, and reporting phantom “false alarm” risks can kill a healthy relationship between security and development teams. But security doesn’t have to be about hindering business. Done right, application security programs are designed to get people working together in a way that is compatible with software development. The goal is to find solutions that allow business to go fast and be secure.