Developsec: Developing Security Awareness

A few months ago, it was announced that some companies buy stolen passwords off of the black market to help protect their users.  This is done by determining if the user's password was part of that list and forcing a reset.  James talks about the idea and raises some interesting questions.  What do you think about the tactic? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Are you, or have you, implemented a remember me feature for your application?  What do you remember, username, password, or both?  James talks about some security considerations around implementing a remember me feature for your application. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you use MongoDB?  If so, is it exposed to the internet?  Recent news (listed below) had shown that a large number of MongoDB instances are being infected with ransomware.  James talks about the issue and ways to help ensure you are not the next victim. Link to original article: http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.  

Implementing multi-factor authentication isn't just about a second factor.  There are many considerations that need to be included.  One in particular, how do you handle the user losing their means of that second factor.  James talks about thinking this through. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Yahoo has announced yet another breach from back in 2013 affecting a very large number of user accounts. https://investor.yahoo.net/ReleaseDetail.cfm?&ReleaseID=1004285   This creates an opportunity to discuss password storage and the storage of security answers.  Find out what we can takeaway from this incident. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

It is the holiday season.  It is appropriate to talk about cookies.  Not the kind that you bake, but the ones in your applications.  James talks about the security mechanisms for cookies and clarifies what they are for.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Have you heard someone mention "untrusted" data?  Applications take data from multiple data sources and we are often confused on what should be trusted or not.  In this episode, James Jardine talks about untrusted data and some thoughts for moving past it.   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Are you an organization looking to do source code review?  Are you trying to hire a pen tester with source code review as a duty?   James talks about Secure Code Review and some common implementations.   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you have a clear path for users to contact you about potential security issues in your application or device?  Is there a potential for the communication to be lost in the mix?  James talks about how it is important for users to have a clear path to communication when it comes to reporting security issues.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Having a penetration test performed against your applications?  Do you have mobile and web applications performing the same functionality?  James talks about the reason behind doing these assessments at the same time vs. separate.  See why testing your entire offering can add benefit to your security assessment.  Link to DerbyCon Presentation For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.  

Your pen tester want you to white list them in your WAF?  What should you do?  Why do they ask?  James breaks it down for you in this episode. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

We talk HTTP/HTTPS all the time.  Google just announced that in January they are going to change how they display their secure/not secure indicators for HTTP sites that have passwords or credit cards.  James talks about how this can effect you. Link to the article: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.  

Are your login forms secure?  Are you sure?  In this episode James talks about potential risks with presenting your login forms when using HTTPS and how to avoid them.  We often are focused on HTTPS for the submission of credentials, but what about the loading of the form?  What about frames? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

The user interface plays a big part in the security of an application.  We often only look at flaws such as XSS, but here James provides an example of the lack of Input Validation messages creating a Denial of Service type situation.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

James discusses how all applications, big or small, are a potential target and need to have secure coding practices.  We often only look at our big applications from a security perspective, but in reality, all applications pose a risk.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

In this episode, James talks about what Username Enumeration is, how it can be used by attackers, and some ways to help reduce the risk of it.    For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Interesting question was raised around changing a password and the need to invalidate all the access tokens for the associated mobile devices.  James talks about his view on the topic and how you can analyze your situation to determine the appropriate direction.      For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Pokemon Go has taken the world by storm and as always, it brings up some things to talk about regarding security.  In this episode James talks about some out of the box security thoughts regarding mobile applications including app permissions, fake apps, and scams.    **Link to James' interview on News4Jax talking about Pokemon Go Security Concerns http://www.news4jax.com/news/morning-show/pokemon-go-security-concerns **   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

A question came in regarding auto-unlock of accounts and account lockout in general.  James discusses his thoughts on this process and how he approaches these types of questions.   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

A question came in around the need for the password confirm box on registration screens and the security implications.  In this episode I respond to the question and give some insights on how to approach these types of questions from a security perspective.   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.