Thoughts about Secure Development & AppSec Test Automation
When it comes to integrating application security into an (especially large) organization, we often experience a bunch of practical problems and frustration. In the end, a lot of money may have been spent, but little or no improvement to the security of developed applications has been accomplished. The main problem that organizations made is that … Read more
A week ago I had the pleasure of giving a speech at OWASP AppSec EU in Rome on the new Microsoft Threat Modeling Tool 2016 that came out last November and is still available for free. The Threat Modeling Tool implements one way to derive threats (potential security problems) from a system specification and this … Read more
I’m often asked how security tests can be automated with non-commercial tools, e.g. triggered by a Jenkins build. Therefore I decided to write this post, to give you a bit of understanding which tools you can use and what you have to do in order to accomplish this goal. To not over complicate this, I … Read more
Static Application Security Testing (SAST) tools such as Fortify, Veracode, Checkmarx, or IBM App Scan Source Edition have been available on the market now for a while. All of them have their specific pros and cons. But there are certain problems that leak all of these static scanning technologies. Here are three important ones: False … Read more
One of the most critical vulnerabilities a Web application can have is an insecure direct object reference. Such vulnerability normaly exists due to an (usually database) object id that an user can directly access and manipulate (and!) that is not authorized correctly. An example that we often see is something like this: http(s)://www.example.com?id=123 or within … Read more
One publication that usually became a lot of attention in the application security market is of course Gartner’s magic quadrant. A new one for Application Security Testing (that is confusingly abbreviated with “AST”, a term that in software anylysis usually stands for Abstract Syntax Tree). A couple of years ago, Gartner created two new quadrants … Read more
In part 1 of this series, I described how we can automatically test if a correct security header is a simple JUnit test. In this part, I will demonstrate how we can use self-made test automation to test even vulnerabilities such as Cross-Site Scripting (XSS). XSS is doubtless one of the most common vulnerabilities for … Read more
Today, performing unit tests has become a standard in many development teams for automatically performing various tests on code (e.g. as a compulsory part of the build process). Especially in agile development, the existence, completeness and quality of such tests is a critical aspect for ensuring that the application is still working after each commited … Read more
A few months ago, Gary McGraw wrote an interesting article on SAST deployments in the field. In it, he basically differentiates two service models: Code Scanning Factory (actually he called it “centralized code review scanning factory for code review”) Self Service The main idea behind both models is the most fundamental question when it comes to … Read more
Despite the fact that there are quite a few reservations concerning the use of application security scanning technologies (e.g. false positives, false negatives, usability, and of course the price), there are also a couple of good reasons for using such tools: 1. Applications Are Getting Bigger and Bigger Enterprise applications can be quite big: 100,000 … Read more