Developsec: Developing Security Awareness

You know your development language and platform, but do you really know the ins and outs of web application technology? How well do you know HTTP, HTML, etc? James talks about a few scenarios where really understanding how the technologies works helps better understand vulnerability risks. For more info go to https://www.developsec.com or follow us on twitter (@developsec).   Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode, James talks about authorization and some common areas where it poses a risk. He also goes over some techniques to help test authorization.   For more info go to https://www.developsec.com or follow us on twitter (@developsec).   Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

The Equifax breach was a major news story. James talks about some of the security controls mentioned and how to start a conversation within your organization about them.  Want to listen on YouTube?  Check out our channel where we are releasing episodes starting from episode 1 at https://www.youtube.com/channel/UCdAqgfdGs0-hPa8FhsODwNw For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

We talk about cross-site scripting (XSS) all the time, but often overlook the ability to use javascript: in anchor tags.  James talks about this unique ability and how to protect your applications from it.  The related blog post for this can be found at https://www.developsec.com/2017/09/06/javascript-in-an-href-or-src-attribute/ Want to listen on YouTube?  Check out our channel where we are releasing episodes starting from episode 1 at https://www.youtube.com/channel/UCdAqgfdGs0-hPa8FhsODwNw For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

We use a lot of platforms and frameworks when we develop an application. These platforms may provide security features, but do you know which ones? James talks about the importance of understanding your platforms and what to consider. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  

James talks about the risk of USB thumb drives and their risk using the recent BCBS marketing campaign as an example. (http://www.fiercehealthcare.com/privacy-security/bcbs-alabama-re-evaluates-usb-marketing-campaign-amid-security-concerns).   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.  

James talks about a recent vulnerability report regarding MySpace's Account Recovery system (https://www.wired.com/story/myspace-security-account-takeover/).  He talks about considerations around account recovery and the need to revisit this type of functionality on a regular basis. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.

In this episode, James talks about Interactive Application Security Testing, or IAST. It is a sort of hybrid approach that is similar to both dynamic and static analysis. Listen in to learn more about it. The video version of this can be found at https://youtu.be/KHSlDletm9I For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

Are you thinking about client vs. server-side input validation?  Curious why each is important and when to use them?  James talks about the basic concepts and how to apply them to create more secure applications. A video version of this podcast is now available at: https://youtu.be/irO1TOC6-i8 For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode I sit down with Geurt van Wijk from IDdriven to discuss IAM and IDaaS. Geurt has many years of experience around Identity and shares some great insights into considerations when working with it. If you typically think of Identity as just a user with credentials and some typical roles, you will want to listen in. You can get more information about IDdrive from https://www.iddriven.com For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation. DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

It was recently reported that an audio driver on HP systems was logging key strokes to a local file.  Accidental?  Malicious?  Instead, we talk about how to try and avoid this from happening in the future.   Original Article: https://www.cnet.com/news/keylogger-discovered-on-some-hp-laptops-conexant/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.  Check out our 30 day advantage.

I sat down with Vittorio Bertocci from Microsoft at the Microsoft Build 2017 conference in Seattle Washington.  Vittorio shared some great insights into Identity and some new things around Azure AD and Azure AD B2C.  Listen in to learn more about some of the interesting things going on.   You can watch Vittorio's presentation from build at: https://channel9.msdn.com/Events/Build/2017/B8084 To get more information from Vittorio, you can follow him on twitter at @vibronet or check out his website at www.cloudidentity.com Also, check out this announcement about new authentication SDKs: https://azure.microsoft.com/en-us/blog/start-writing-applications-today-with-the-new-microsoft-authentication-sdks/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and

Over the years I have had many people ask about encoding before storing data in the database.  Here are my thoughts and recommendations. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you use hosted content on a CDN? How do you know the file hasn't been modified?  James describes Sub Resource Integrity and how it is used to help detect and prevent loading modified files.  For details referenced in the show about commands and examples, check out our post at https://www.developsec.com/2017/04/16/sub-resource-integrity-sri/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you struggle with trying to pick the most secure application platform? Are you focusing on the right questions? James talks about ways to look at application platforms and be secure, no matter which one you choose. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you allow users to login into their accounts across multiple browsers or devices? Does this raise a security concern? James talks about how to handle this question and analyze the root issue. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

I am sure you have heard about the AWS service disruption that occurred.  Have you seen how we can learn from this when we look at our own tools and processes?  James talks about how we need to look at our own applications and tools and consider how time has changed the landscape.  There might be more than you think. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

I hear a lot of people struggling with HTTPOnly and Secure attributes on cookies. The names may be confusing to some. Change your viewpoint and it may become easier.. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.  

We always talk about Forgot Password... But what about Forgot Username? Listen in as James discusses why protecting this functionality is important and the ways it could be abused if not properly handled. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

In this episode, James talks about security questions, or secret questions. We see them used in many different places. People complain they are horrible. So are they that bad that you shouldn't use them?  Is it possible to help reduce the risk with security questions?For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.