Pragmatic Application Security
Thoughts on Secure Software Development
Matthias Rohr 
In part 1 of this series, I described how we can automatically test if a correct security header is a simple JUnit test. In this part, I will demonstrate how we can use self-made test automation to test even vulnerabilities such as Cross-Site Scripting (XSS). XSS is doubtless one of the most common vulnerabilities for … Read more
Today, performing unit tests has become a standard in many development teams for automatically performing various tests on code (e.g. as a compulsory part of the build process). Especially in agile development, the existence, completeness and quality of such tests is a critical aspect for ensuring that the application is still working after each commited … Read more
A few months ago, Gary McGraw wrote an interesting article on SAST deployments in the field. In it, he basically differentiates two service models: Code Scanning Factory (actually he called it “centralized code review scanning factory for code review”) Self Service The main idea behind both models is the most fundamental question when it comes to … Read more
Despite the fact that there are quite a few reservations concerning the use of application security scanning technologies (e.g. false positives, false negatives, usability, and of course the price), there are also a couple of good reasons for using such tools: 1. Applications Are Getting Bigger and Bigger Enterprise applications can be quite big: 100,000 … Read more