CI/CD pipelines and processes facilitate efficient, repeatable software builds and deployments; as such, they occupy an important role in the modern SDLC. ...

C-Based Toolchain Hardening is a treatment of project settings that will help you deliver reliable and secure code when using C, C++ and Objective C languages ...

Bean validation (JSR303 aka Bean Validation 1.0 /JSR349 aka Bean Validation 1.1) is one of the most common ways to perform input validation in Java. It is an ...

Authorizations definition and implementation is one of the important protection measures of an application. They are defined in the creation phase of the ...

Authorization may be defined as "the process of verifying that a requested action or service is approved for a specific entity" (NIST). Authorization is ...

Authentication is the process of verifying that an individual, entity, or website is who/what it claims to be. Authentication in the context of web ...

This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by ...

Often when the security level of an application is mentioned in requirements, the following expressions are met: The application must be secure. The ...

This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information ...

APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and ...

This paper presents a virtual patching framework that organizations can follow to maximize the timely implementation of virtual patches. It also demonstrates, ...

The code included in this article has not been reviewed and should not be used without proper analysis. If you have reviewed the included code or portions of ...

Early on, two primary types of XSS were identified, Stored XSS and Reflected XSS. In 2005, Amit Klein defined a third type of XSS, which Amit coined DOM Based ...

This document describes a structured approach to application threat modeling that enables you to identify, quantify, and address the security risks associated ...

Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. A threat model is ...

Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help ...

Device cookies as additional authenticator for users devices have been discussed and used in practice for some time already. For example, it was discussed by ...

Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on ...

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information ...

This contract Annex is intended to help software developers and their clients negotiate and capture important contractual terms and conditions related to the ...