Developsec: Developing Security Awareness

In this episode, James Jardine talks about what penetration testing, "pen testing", is and how it really has a lot of meanings to different people.  A pen test isn't something that should be considered negative, rather it is a positive approach to helping identify security risks to your organization. 

In this episode James covers some thoughts on how business analysts and project managers are crucial to the security role for applications.  It doesn't take a huge change in the way work is done and the domino affect carries all the way through to QA. Accompanying Blog Post: https://www.developsec.com/2015/06/01/business-analysts-and-product-managers-security-roles/ Follow us on Twitter: @developsec

QA plays a crucial role in testing for security flaws within applications.  They have the Proximity, Knowledge of the Application and it is an extension to the role they currently fill.  James Jardine discusses why security testing is critical to the QA role. 

Static analysis is an important part of the secure development lifecycle.  There are some things to think about when you are considering a static analysis option.  James discusses the questions in this episode.

Understanding baselines of our networks, applications, traffice, etc is important to identifying security issues.  James Jardine shares some thoughts on the need for these baselines and why they are important.  There is a quick write up on this topic at https://www.developsec.com.

CMS platforms are an easy way to get content to the internet, but we still have to consider security.   James talks about some of the concerns and things to think about when thinking about these security features.  For a more details, check out the blog post at https://www.developsec.com.

I came across an interesting tweet https://twitter.com/suffert/status/567486188383379456  depicting a good example of a black list that didn't quite cover everything I think they wanted too.    This episode discusses the difference between black and white lists and some of the things to watch out for.

James talks about the need for developers, QA, business analysts and project managers to understand the type of application they are creating and the requirements around sensitive data.  Reference Links from the podcast:http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDFhttp://laws.flrules.org/2014/189Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

I discuss the lessons learned from the recent Moonpig security disclosure.  This is full of information for a developer or QA tester.   For more information, visit https://www.developsec.com

Are you looking to test our your security skills?  There are lots of targets that are freely available to you that can be quite helpful.  The good news is you won't be getting in trouble for hacking these applications.  Here is a short list of some of the targets that exist for you to practice your web hacking skills.Vulnerable Apps:hackazon - http://www.ntobjectives.com/hackazon/bWAPP - http://sourceforge.net/projects/bwapp/files/bee-box/webgoat - https://www.owasp.org/index.php/Category:OWASP_WebGoat_ProjectDVWA - http://sourceforge.net/projects/dvwa/Mutillidae - http://sourceforge.net/projects/mutillidae/

No matter what size company you are, sooner or later you will be subject to some form of security assessment.  Whether that is a penetration test, architecture review, code review or some other assessment.  It is important to be prepared.  Have the documentation needed when the engagement starts.  Most importantly, be honest to any questions and don't try and hide things.  The point is to get an accurate view of the security landscape to better help the company's risk position.  James talks about all this and more in this episode.

Are you sure you are performing proper authorization checks everyplace?  What does Authorization even mean?  James Jardine talks about Authorization and how QA, Dev and others can reinforce its implementation.

In this episode, James Jardine talks about the recent breaches regarding cloud services and whether or not we should be running for the hills.  Lets focus on the real issue, not the hype of nude photos. 

In this episode, James talks about security testing... scratch that, testing.  There really is no difference between security testing and regular testing.  The app is functioning in a way it was not designed to.  QA can do this.   Developers can do this.  Listen to find out some of the ways that we can help move this forward to get our internal teams testing better.

The debate is out there, which is more important.  I discuss what they are and how they both play a key role in securing an application.

This episode gives a high level overview of what XSS is and why it is of concern.  Future episodes will dig deeper into the vulnerability.

We discuss a little about eBay and their unfortunate hack, how sourceforge has upgraded their password storage and a lot about cookies.   What are cookies, how are they used, how do we secure them.  Lots of great information about cookies. 

In this episode, we talk about phishing.  Mass email and spear phishing.  What you should know about the topic and how to protect yourself.Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

This episode introduces the new Microsoft Threat Modeling Tool 2014.  No more requirement for Visio..  woohoo.   Lots of talk about threat modeling and its benefits. Threat Modeling Tool 2014: http://download.microsoft.com/download/3/8/0/3800050D-2BE7-4222-8B22-AF91D073C4FA/MSThreatModelingTool2014.msi Threat Modeling (book by Adam Shostack): http://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

In this episode we take a look at the two hottest topics.. Windows XP End of Life and Heartbleed.  If you haven't heard of either of these, your under a rock (and you should listen).   This is not an in-depth analysis of these, but just general thoughts on them.Send us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.