CI/CD Security
CI/CD pipelines and processes facilitate efficient, repeatable software builds and deployments; as such, they occupy an important role in the modern SDLC. However, given their importance and ...
Rx iT World Hacking Tutorial
C-Based Toolchain Hardening
C-Based Toolchain Hardening is a treatment of project settings that will help you deliver reliable and secure code when using C, C++ and Objective C languages in a number of development environments. ...
Bean validation
Bean validation (JSR303 aka Bean Validation 1.0 /JSR349 aka Bean Validation 1.1) is one of the most common ways to perform input validation in Java. It is an application layer agnostic validation ...
Authorization Testing Automation
Authorizations definition and implementation is one of the important protection measures of an application. They are defined in the creation phase of the project and, even if authorization issues are ...
Authorization
Authorization may be defined as "the process of verifying that a requested action or service is approved for a specific entity" (NIST). Authorization is distinct from authentication which is the ...
Authentication
Authentication is the process of verifying that an individual, entity, or website is who/what it claims to be. Authentication in the context of web applications is commonly performed by submitting a ...
Attack Surface Analysis
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage ...
Abuse Case
Often when the security level of an application is mentioned in requirements, the following expressions are met:The application must be secure. The application must defend against all ...
AJAX Security
This document will provide a starting point for AJAX security and will hopefully be updated and expanded reasonably often to provide more detailed information about specific frameworks and ...
Types of API Tools
APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and cloud infrastructure. While APIs share much ...
What is a Virtual Patch?
This paper presents a virtual patching framework that organizations can follow to maximize the timely implementation of virtual patches. It also demonstrates, as an example, how a web application ...
Using the Java Cryptographic Extensions
The code included in this article has not been reviewed and should not be used without proper analysis. If you have reviewed the included code or portions of it, please post your findings back to ...
Types of XSS
Early on, two primary types of XSS were identified, Stored XSS and Reflected XSS. In 2005, Amit Klein defined a third type of XSS, which Amit coined DOM Based XSS. These 3 types of XSS are defined as ...
Threat Modeling Process
This document describes a structured approach to application threat modeling that enables you to identify, quantify, and address the security risks associated with an application. Threat modeling ...
Threat Modeling
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. A threat model is a structured representation of all the ...
Source code analysis tools
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be ...
Slow Down Online Guessing Attacks with Device Cookies
Device cookies as additional authenticator for users devices have been discussed and used in practice for some time already. For example, it was discussed by Marc Heuse at PasswordsCon 14. Marc ...
Session Timeout
Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of ...
SameSite
SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection ...
Secure Software Contract Annex
This contract Annex is intended to help software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed ...
