Developsec: Developing Security Awareness

We are too quick to just give generic recommendations for resolving security vulnerabilities.  We need to make sure that the application teams understand why these are vulnerabilities and why they are important.  It all starts with Why is that functionality there.  James talks about the importance of understanding the WHY and how it is a building block for better secure applications.   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

When a developer was presented with a but they tried to say that it wasn't an issue because it was found by a tester using a Mac.  "We don't support Macs"   James talks about how this is a fundamental misunderstanding about security and tries to clear it up.      For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

James reflects on the current way we expect application teams to get security training and potential short falls.  Is there a better way?  Listen as I talk through some different points on the topic.    For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

How do you get your secure coding information?  Do you pull code snippets from the internet?  Who doesn't.  How many of those actually use secure coding best practices.  We have a challenge where most of our books, tutorials, and even college classes don't show secure code examples, just code examples.  Everywhere we turn, the code we see is insecure.  James Talks about this issue and some things you can do to help change that.  In the episode, James makes reference to the IT Hot Topics Conference (https://www.eiseverywhere.com/ehome/index.php?eventid=155122&).  James will be presenting on Friday morning.  If you are in the area, this may be a great conference to check out.  See the link included for registration info. For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contac

Do you use an application inventory in your application security program?  James discusses what an application inventory is and why it is important.  Here is a list of a few tools that can be used to help identify some application details: Consider using OWASP Dependency Check (https://www.owasp.org/index.php/OWASP_Dependency_Check)Retire.js will help identify out dated javascript libraries (http://retirejs.github.io/retire.js/) - This is also a burp extension For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Penetration tests provide a measuring stick for security, but are you missing out on additional value?  James discusses ways to use the pen test results to get more value out of a penetration test. James will be providing a free webcast regarding Penetration Testing for Application Teams on March 18th, 2016.  Here is the registration link: https://attendee.gototraining.com/r/3147075330537789954 For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

James discusses what authentication is and some things to look out for.   For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode, James Jardine talks about some of the things you need to consider when trying to implement a static analysis program. It is more than just a tool you drop in.  To build a successful program there are other considerations. For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

James Jardine discusses CSRF chaining, using the combination of multiple CSRF requests to perform a task. Typically we believe that CSRF can only be done with one request, but with a little javascript it is possible to execute multiple requests.  Listen in for more information. For more info go to https://www.developsec.com or follow us on twitter (@developsec).Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

In this episode, James talks about what CSRF is, why it is a risk, and different ways to protect against it.  CSRF is #8 on the OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_%28CSRF%29 Want to learn more about application security?  Check out https://www.developsec.com.  Follow us at @developsec on twitter.

James discusses Open Redirects, or on the OWASP Top 10 what is referred to as Unvalidated Redirects and Forwards (https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards)  This is an introduction to what an Open Redirect is, why it is an issue, how to protect against it and how to test for it. 

James discusses Hacking, what is it, why is it important.  It is more than what you see in the media of the bad guys hacking computers.  It is a curiosity, a hobby, an interesting in pushing limits.  Some amazing things have come out of hacking.  Check out this episode for more ramblings.

James discussing some things to consider this holiday season when searching for that perfect gift.  It is important to understand the privacy policy (what is collected and how it is used) as well as the technologies the gift uses (Bluetooth, wifi, etc).  This discussion addresses both consumers and the companies that create these gifts. For more info go to https://www.developsec.com or follow us on twitter (@developsec).

James Jardine provides an overview of Dynamic Analysis and why it is important.  Like any automation, there are pros and cons.   Listen to find out why dynamic analysis is useful.  Some links to some dynamic analysis options that are available:WhiteHat Security (http://www.whitehatsec.com)HP - Web Inspect (http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/)IBM App Scan (http://www-03.ibm.com/software/products/en/appscan)Veracode (http://www.veracode.com)Acunetix (https://www.acunetix.com/)

Join James Jardine as he discusses what Response Splitting/Header Injection is and how it works.  He also discusses how ASP.Net helps defend against this attack. This is a quick overview of the vulnerability and a great starting point for anyone learning security concepts.

Hi and welcome to the DevelopSec newscast for October 20th, 2015.  I am James Jardine and I wanted to take a few moments to talk about some recent news stories over the past week.Apple removes several apps that could spy on encrypted traffic - http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-spy-on-encrypted-traffic/ , http://www.theregister.co.uk/2015/10/09/apple_borks_adblocking_app_over_privacy_concerns/ Apps installed a root certificate on device.Could allow monitoring of data, even SSL/TLS traffic.Recommended to uninstall the apps, unfortunately it was not made clear which ones they are.com CSRF bug pays security tester $25,000 - http://www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/Wesley Wineberg found a Cross-Site Request Forgery flaw in the Microsoft Outlook.com website.Could hijack user sessions.Responsible/Coordinated disclosure allowed flaw to be resolved before publicly disclosed.Medicaid Data Breach, Security Issue at

James breaks down a few news stories from the previous week.  The following stories were discussed, including some brief points. Microsoft Accidentally pushes test patch http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/Of course the community assumes hack.Oversight that allowed a test patch to be released.They are working to remove it.Credit Card Liability Shift Is hereStarting October 1, 2015 if your a vendor and use the magnetic stripe on a chip enabled card, certain fraudulent transactions will fall to you, instead of the bank.This doesn’t change the liability for consumers.James' interview on Channel 4 News in Jacksonville http://www.news4jax.com/news/new-credit-card-technology/35391900WinRAR exploit – Is it just hype? http://www.theregister.co.uk/2015/09/30/500m_winrar_users_open_to_remote_code_execution_zero_day/Requires you to execute an exe, which is something we are taught not to do from untrusted sources.Estimates say this effects 500 million users, but let

James breaks down a few news stories from the previous week.  The following stories were discussed, including some brief points.$1 million bounty for iOS 9 hack http://www.wired.com/2015/09/spy-agency-contractor-puts-1m-bounty-iphone-hack/Zerodium announced 1 million dollar bounty for hack that can take over an iOS device remotely, via web page, vulnerable app or text messageTerms of offer demand that bug not be reported to Apple or publicly disclosedNot uncommon for iOS bugs to fetch big moneyRare malware outbreak hits some Apple apps http://www.usatoday.com/story/tech/2015/09/21/apple-china-hack-app-store-malware--xcode-ghost/72572190/Some developers used fake versions of XCode to create applicationsDesigned to steal user passwordsReportedly little danger to US iphone users unless using Chinese social media apps.Important to use software from trusted sources.Comcast to Pay $33 million over Privacy Breach http://www.huffingtonpost.com/entry/comcast-to-pay-over-privacy-breach_55fb30d7e4b0fde8b0cd9fe475,000 na

James talks about HTTP Strict Transport Security (HSTS) and what it is for.  For more information, check out the corresponding post https://www.developsec.com/2015/09/17/http-strict-transport-security-hsts-overview/ that has links to other references.

Just recently, the FTC released "Start with Security: A Guide for Busines" which is a set of 10 items businesses can do to help secure their assetts.  The full guide can be found at https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.  James Jardine breaks gives an overview of the 10 items provided in the document. If you are a business, these are some good things to think about when it comes to security.  The interesting twist is that it is not highly technical, rather uses real companies as examples for the different items.