Tag : Application Security

some

Beyond XSS and CSRF: Same Origin Method Execution

Aug 12, 2015 By Sarah Vonnegut | Unless you were living under a rock last fall, you heard about the major iCloud hack that saw nude pictures of A-list celebrities posted all over the web. The fact that someone could hack into private clouds and steal the sensitive data contained within alarmed web users around the world.   That wasn’t the only exploit of its kind. If someone malicious had discovered another, similar exploit on Google+, there could have been a similar batch of stolen photos.   Luckily, the hacker that found them is a white-hat and plays for the good side. Ben Hayak plays for the good side, and our private Google Plus photos have been saved from prying hands.   Ben, a senior security engineer at Salesforce, recently discovered a method of attack that would pose major threats to users and sites with successful attacks.  

</Read More>
Must Know Security Buzzwords For

Must Know Security Buzzwords For Application Builders and Defenders

Jul 24, 2015 By Sarah Vonnegut | In security, there is always a new term being thrown around, and it’s important to know what each one means for anyone involved in the spectrum of security management, from CISO to security team to development team. Without the common language, conversations around security could feel altogether foreign for different folks.   Say what you will about buzzwords and how overused they may be, but not knowing them may hold back your organization by not being on top of the industry jargon. If you’re currently building or working to secure applications at your organization,  you really can’t get away without knowing the security buzzwords below. 

</Read More>
9 Essential Secure Coding Principles To (1)

9 Secure Coding Practices You Can’t Ignore

Jul 01, 2015 By Sarah Vonnegut | Writing secure code is no longer an option. With financially motivated crime at the top of the web app attack food chain, according to the latest Verizon Data Breach Investigation report, your organization will be hard-pressed to come out on top if you suffer a breach. In order to ensure our organizations and customers are secure, software developers must be able to create code that stands the test of time – only accomplished with proper techniques and a commitment to consistency throughout the organization.
 

</Read More>
talks

21 Awesome Talks and Resources on Security and DevOps

Jun 22, 2015 By Sarah Vonnegut | As we wrote about last week, the explosion of DevOps – with 88% of businesses saying they’ve adopted or will adopt DevOps within the next five years – has made it clear that we need to tightly integrate security in the fast-paced, iterative cultures that are DevOps organizations.   We can’t fight DevOps, if we ever did. DevOps is good all around when done right – and security plays a big part in helping DevOps organizations thrive. And luckily for you, lots of security and DevOps people already have experience in how to work in harmony together – and even better, they want to pass their knowledge along. There is some great watching and reading material to draw inspiration, ideas and advice from – so we gathered up 21 of the best talks and other resources we’ve seen to help you along the way.   

</Read More>
Proactive AppSec

The Ten Commandments of Proactive Application Security

May 29, 2015 By Sarah Vonnegut | When you’re constantly reacting to suspicious alerts and fixing vulnerabilities only after they’ve been exploited, you’re missing the point of application security.   Application security, according to Wikipedia, “encompasses the measures taken throughout the code’s life-cycle to prevent gaps in the security policy of an application or the underlying vulnerabilities… of the application.” The practice of application security, at its core, exists solely to protect the data of an organization’s applications and, more importantly, the organization itself.  

</Read More>
AppSec Metrics

Application Security Metrics: Where (And Why) To Begin?

May 15, 2015 By Sarah Vonnegut | A wise man once said, “to measure is to know…if you cannot measure it, you cannot improve it.” When it comes to application security, measurements are crucial to the success of your program. But determining how to best combine your measurements into metrics which show your programs value is much more important.
As a CISO or the like, you lead a team that the business absolutely depends on. Unfortunately, information security in general and application security in specific have a hard time gaining support, even if the latest Verizon Data Breach Investigation Report noted that 75% of web app attacks are financially motivated, and that application security falls “squarely under ‘the cost of doing business.’

</Read More>
Moscone

19 Points of AppSec Wisdom from RSA 2015

Apr 30, 2015 By Amit Ashbel | So, we are back from RSAC 2015!  Our heads full with new information, our sales teams loaded with new connections to follow up with and our bags full of useless giveaways :). Other than achieving absolute culinary success with some quite impressive restaurants and enjoying an impressive Faith No More concert at the San Francisco Warfield we also did some work. As usual it was an interesting and fruitful RSA Conference. Concentrating on Application Security, which had its own dedicated track, we decided to summarize a few of the more interesting talks. Among those, our own one and only, Maty Siman.

</Read More>
CI

All You Wanted To Know About Continuous Integration Security

Apr 07, 2015 By Sharon Solomon | Continuous Integration (CI) is an application development practice that’s becoming more and more popular in large software development organizations. While it boosts productivity and code integrity, it introduces new technical challenges in the security process, magnifying the importance of selecting of the right solution for the task.  

</Read More>
Ali Express

The AliExpress XSS Hacking Explained

Mar 24, 2015 By Sharon Solomon | This post was originally published on the AppSec-Labs blog.   As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.   A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.  

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.