Application Self Protection – A New Addition to the OWASP Top 10
OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection
Open Source Software – Is It the Death of Your Company?
Open source software could contain licenses that are bad for your company or contain security vulnerabilities that could damage your software.
Dumping Memory on iOS 8
Back in January of 2015 NetSPI published a blog on extracting memory from an iOS device. Even though NetSPI provided a script to make…
The Way Back Machine – Microsoft Word for Windows 1.1a
On March 25, 2014, Microsoft released the source code for Microsoft Word for Windows 1.1a. They said they released it “to help future generations of technologists better understand the roots of personal computing.” I thought it would be interesting to perform an automated code review on it using CheckMarx, to see how they did related […]
PA-DSS 3.0 – What to Expect
The PCI Council has just released PA-DSS version 3.0. They have added new requirements, removed one, and changed a few. How this affects your application really depends on how you implemented security. What's Been Added Req. 3.4 Payment application must limit access to required functions/resources and enforce least privilege for built-in accounts: By default, all […]
Outsourcing application development – what is missing?
I have been reading a few articles on outsourcing application development. Many of them have good information on what to look for and how to work with the companies doing the development. However, I have yet to see any of these articles talk about security and how to handle that in the outsourcing process. In […]
Why does one QSA pass me and another would not?
A question came up about a PCI audit that was performed for one of our customers. They just finished their PCI audit and passed. I am now working with them on a new software application and there is a vulnerability in their application that was ranked as a high. This was discovered on an application […]
Code Review – is automated testing enough?
We have worked with many companies that are following the letter of the law. The law being the PCI Council’s requirement (6.3.2) that all code must be reviewed prior to release. It states: 6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This […]
Mobile Application Testing – Where is it?
I was reading a few articles about how mobile devices, because of their popularity, are now the focus of malicious hackers. I thought this was interesting because many companies are developing applications for the mobile platforms and based on the information I have heard, they really do not have a formal process to test these […]