As we say goodbye to 2015 and begin the new year, we’d like to take a moment to reflect on the great year we had on the Checkmarx blog. We’ve covered a huge array of topics, from interviews with ethical hackers to discussions on the importance of integrating security and DevOps, and it’s that variety that shows through in our most popular posts of 2015.
In the new year, we promise to continue writing articles and guides that will help both security professionals and those wanting to learn more about security progress in their AppSec journeys.
For now, these are the ten most popular posts from the Checkmarx blog in 2015 – enjoy!
Vulnerable Hacking Sites & More Hacking Sites
The two most popular posts of the year were the lists of intentionally vulnerable sites dedicated to helping security professionals and ethical hackers hone their skills, so we lumped them together. It’s so great to see that these were the most popular posts, as it means application security and defensive security are finally being taken seriously.
The fact that many developers were also interested in testing their InfoSec skills is another big step towards positive changes in the security industry. Does this mean we’ll see more proactive developers when it comes to security in 2016? This is a good sign pointing to yes!
How To Play Game of Hacks
We rolled out our security education and awareness game, Game of Hacks during the summer of 2014 and it’s been a huge hit ever since. This post details offers an overview of the game and details how to play. Game of Hacks, and the popularity of this post, prove again how mainstream security, and in specific AppSec, is becoming around the world.
The Best Cyber Security Blogs On the Web
There is so much to read in the world of application security and even more in the wider security industry. It can be cumbersome to sift through, especially if you don’t have a good idea of the best blogs and news sites to check out on a regular basis. To help InfoSec newbies and other interested parties have a quality AppSec blogroll to check out, we compiled a big list of cyber security blogs and sites to read on a regular basis. With RSS feeds linked for each site listed, creating your own personal RSS security reader was never easier!
Security Experts to Follow on Twitter
Like the blogosphere, the Twitter universe can be equally tricky to navigate. It’s hard to know who to follow if you don’t know where to start – and with that in mind, we wrote a list of the top security experts on a range of topics to follow on Twitter. If you’re a Tweeter and haven’t checked out this list – now is the time! You can even follow our Twitter list, with added reader suggestions. If you’re looking for further reading suggestions, we added the experts’ blogs, if they keep one.
Security Practices to Always Follow
The last couple years have seen a dramatic increase in the shift of security responsibility from the end of the SDLC to the left, throughout the development process. In turn, security is now under the purview of developers and other non-security professionals who are in need of quickly learning the fundamentals of security.
It’s no surprise to us that this post was one of our top of the year – we know that developers and other non-security professionals are interested in increasing their security knowledge. But it’s still a big leap forward to know that developers are seeking out this type of information. If you have a stake in the software and applications released or used by your organization, now is the time to make sure you’re at least familiar with these 9 secure coding practices and how they can be implemented in real life.
Most Dangerous Code Injections
Code injections have been around from the beginning days of the internet – and yet applications and organizations continue to fall at the hand of an SQL injection or XSS attack. Whether in WordPress plugins, children’s toys, government websites or ecommerce platforms, it makes no difference that code injections are well-known and easily avoided.
This post discusses the basics of each of the five worst code injections and how sites can fall victim to them if they don’t follow best practices for security. We also discuss the importance and essential role of source code analysis in detecting vulnerabilities throughout the SDLC to cut down on the number of high-risk issues that pop up near the end of the cycle and which may or may not get fixed before the app is released.
Read about the 5 Deadly Code Injections
The All-Too-Common XSS Attack
This post offers more in-depth information on the dangerous and easily preventable Cross-Site Scripting attacks. We dug into the three types of XSS, offer some fast facts about how widespread and potentially lethal XSS can be, and offer a downloadable and printable guide to preventing XSS attacks while building and defending applications.
Beginner’s Guide to SecDevOps
With DevOps taking over the development world, it’s up to the security industry to ensure we’re ready to secure whatever challenges come our way. We wrote this post as a primer to the principles of DevOps – and how security teams can become much more involved in the process, shifting from being part of the problem to part of the solution.
That this post was one of the year’s most popular speaks volumes about the desire in the security community to be more engaged in the changes that DevOps brings to the SDLC. 2016 is set to be another big year for DevOps, and it’s great that security professionals want to be a positive part in helping resolve the various security challenges posed by agile development methodologies.
Are WAFs All They’re Cracked Up To Be? A Hacker Answers
While a layered approach to security is essential, it’s important to choose the tools you’ll layer onto each other wisely. Web Application Firewalls, or WAFs, have long been considered a perfectly fine way to prevent web app attacks. But Rafay Baloch, an ethical hacker who can easily bypass any WAF, wholeheartedly disagrees.
In the post, Rafay shows how he works his magic, and why he thinks that other tools, such as source code analysis and pen-testing, are much better values. It’s great to see that application security testing is finally in the limelight, and we think 2016 will finally see Application Security receiving the attention it so desperately needs.
Security for Developers: The Resources You Should Know
From OWASP to CERT to StackExchange, we laid out some of the best resources that developers can turn to when they have an AppSec question. Just like the 9 Secure Practices post above, this one was exciting to see that developers are seeking out guidance and the resources that will help them better secure the applications they spend so much time and energy on. It’s clear that the “security as another factor of quality” way of approaching security is catching on among more than just the InfoSec community.
Have any posts you want to see us write in 2016? Let us know below!
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.