HackDig : Dig high-quality web security articles for hacker

The truth about bug finders: They're essentially useless

Today's popular bug finders catch only about two percent of the vulnerabilities lurking in software code, researchers have found, despite the millions of dollars companies spend on them each year.Bug finders are commonly used by software engineers to root out problems in code that could turn into vulnerabilities. They'll typically report back how
Publish At:2016-07-09 04:35 | Read:2168 | Comments:0 | Tags:Application Development Software Testing Security

MIT's new bug finder uncovers flaws in Web apps in 64 seconds

Finding bugs in Web applications is an ongoing challenge, but a new tool from MIT exploits some of the idiosyncrasies in the Ruby on Rails programming framework to quickly uncover new ones.In tests on 50 popular Web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to
Publish At:2016-04-16 11:35 | Read:1842 | Comments:0 | Tags:Application Development Testing Web Development Security

AppSensor Guide v2.0.2

I have published an updated version of the OWASP AppSensor Guide, the guide to application-specific real time attack detection and response.The v2.0.2 AppSensor Guide is available free of charge digitally in DOC and PDF formats, and in print at cost from Lulu.This is a minor update that includes:Reference the extensive work on the reference code implementati
Publish At:2015-07-28 16:35 | Read:2450 | Comments:0 | Tags:testing development design threats technical specification m

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:Time-of-Check-Time-of-Use (TOCTOU) and race condition issuesParameter manipulationReplay attacks (capture-replay)Rounding issuesNumerical processingCard number-relat
Publish At:2015-06-20 13:05 | Read:2300 | Comments:0 | Tags:testing development PCIDSS design threats technical specific

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.In a change to last year's report the authors of 2015 State of Application Security: Closing theGap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.Jim Bird, Eric Johnson and Frank Kim a
Publish At:2015-05-18 09:00 | Read:2510 | Comments:0 | Tags:testing information assurance disposal development maturity

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organ
Publish At:2015-05-09 22:15 | Read:2854 | Comments:0 | Tags:requirements SDLC testing development owasp projects appsece

Snakes & Ladders Coming To Shoreditch

A week on Monday, on the 11th May, I will be speaking during the MAKE day at this year's Digital Shoreditch.The Digital Shoreditch Festival 2015 is a two week mass-community celebration with participants from the world of tech, creative, and all related industries, running from 11th to 24th May. The schedule for the main programme (11th-15th May) has a separ
Publish At:2015-05-01 16:30 | Read:2320 | Comments:0 | Tags:vulnerabilities design technical threats testing requirement

Penetration Testing Guidance for PCI DSS

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.Information Supplement: Penetration Testing Guidance, v1 March 2015,
Publish At:2015-04-07 07:45 | Read:1711 | Comments:0 | Tags:vulnerabilities information assurance technical threats oper

Participate in the OWASP Project Summit in Amsterdam

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with ot
Publish At:2015-03-31 15:30 | Read:2826 | Comments:0 | Tags:testing corrective operation maturity preventative technical

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host M
Publish At:2015-03-06 06:40 | Read:3718 | Comments:0 | Tags:corrective administrative specification technical threats op

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.AppSec EU 2015 comprises:One and two-day training
Publish At:2015-02-27 16:20 | Read:2330 | Comments:0 | Tags:testing corrective operation maturity preventative technical

Report on an Evaluation of Application Security Assessment Vendors

Forrester Research published an evaluation of a dozen application security vendors in December.The researchers reviewed the market to identify application security assessment vendors that offer multiple capabilities, provide easy deployment and integration, are used by other Forrester clients and have competitive offerings.Their selection was Beyond Security
Publish At:2015-02-24 09:35 | Read:2455 | Comments:0 | Tags:vulnerabilities SDLC operation physical testing

Software Assurance Maturity Model Practitioner Workshop

The OWASP Open Software Assurance Maturity Model (Open SAMM) team are holding a summit in Dublin at the end of March.As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughou
Publish At:2015-02-21 02:50 | Read:2593 | Comments:0 | Tags:testing corrective standards maturity preventative technical

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is
Publish At:2015-02-10 14:40 | Read:2451 | Comments:0 | Tags:corrective administrative preventative technical threats SDL

NISTIR 8018 - Public Safety Mobile Application Security Requirements Works

The previously mentioned draft NIST Interagency Report (NISTIR) 8018 has now been released in final version.he public safety mobile application security effort focuses on improving the mobile application development process, specifically the mobile application testing tools, by understanding and collecting the security requirements relevant to the public saf
Publish At:2015-01-27 23:15 | Read:2033 | Comments:0 | Tags:design SDLC development operation information assurance tech

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud