Developsec: Developing Security Awareness

In this episode, I go over what Double-ClickJacking is and what you can potentially do about it to reduce the risk to your applications. Will this be the new finding on everyone's pen tests this year?Paulos Yibelo first described Double-ClickJacking and you can read more from him at his post referenced below.References:Paulos Yibelo Blog: https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.htmlSend us a textFor more info go to https://www.developsec.com or follow us on X (@developsec). The DevelopSec podcast is brought to you by Jardine Software Inc.

In this episode, I talk about how security is a part of everyone's role and the labeling of "Security Culture". I share some ideas on how to improve on role based security awareness and building stronger relationships between security and the rest of the organization.For more info go to https://www.developsec.com or follow us on X (@developsec).

In this episode I talk about assigning responsibility for secure development and how the dev and security teams should be working together to accomplish a common goal. I also discuss the importance of updating developer job descriptions and creating an expectation around developers having secure development experience.For more info go to https://www.developsec.com or follow us on X (@developsec).

In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.   Referenced Articles: https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/ https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets https://www.theregister.com/2024/01/05/swatting_extorion_tactics/   For more info go to https://www.developsec.com or follow us on X (@developsec).   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved?   For more info go to https://www.developsec.com or follow us on twitter (@developsec).   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.   Transcript: In this episode, James talks about root cause analysis versus treating the symptoms.   Tackling the challenge to integrate security into the development process, looking for insights, answers and practical solutions to avoid getting overwhelmed. Welcome to the develop SEC podcast where our focus is your success in securing and improving development processes. And here's your host, James Jardine. Hey, everyone, welcome back to the show. Today, I want to talk about addressing the symptoms versus addressing the root problem. And I think in application security, or when we talk about

In this episode we talk about the spell check feature of the browser and how it could present a risk to sensitive data.   Link to article referenced: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords     For more info go to https://www.developsec.com or follow us on twitter (@developsec).   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

Log4J has been the talk of the town recently and everyone is focused on the technical details of the specific vulnerabilities found. In this episode, James talks about the overarching ideas around dealing with vulnerable components. Are you vulnerable? If so, what needs to be done? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

Chrome has announced a few changes that we need to watch out for in the near future. We previously talked about the default value for samesite that is coming up fast. I wrote about this here: https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/ Also, they are getting ready to start blocking mixed content downloads: https://blog.chromium.org/2020/02/protecting-users-from-insecure.html   For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

It was recently announced that Chrome was dropping the XSS Auditor in Chrome 78. What does that mean and how does that change things for you as a developer?   https://www.chromium.org/developers/design-documents/xss-auditor For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

In 2020, Chrome will default the SameSite attribute to Lax on all cookies. SameSite helps mitigate CSRF, but does that mean CSRF is Dead? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

In this episode, James talks about investing in the development teams to increase application security priorities. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security training to add value to your application security program. Contact us today to see how we can help.

In this episode, James talks about some of the risks and recommendations around security questions and their implementation.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

Does your application give away details about it server, framework, or other components?  How is this information used by an attacker? Check out this episode to learn more. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

Would you know if someone authenticated to your account? With the breaches we see in the news, and attacks like credential stuffing, there must be a way to be alerted to account access. James talks about authentication alerts, what they are, and why you may want to use them. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

James discusses how implementation matters with security controls and how it changes priorities. This came about after reading the following story:  https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

I talk about some of what happened in 2018 and what I am looking to do in 2019. I also ask you to think about your previous year and goals. I also talk about some new training I am providing. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode James talk about the Dunkin Donuts Perks breach. This is an interesting situation as the accounts were access using the victim's username and password found from another data breach. The issue: Password Reuse.  Could D&D have prevented this? Listen in to hear my thoughts.  Please feel free to share your thoughts as well. Article from Today: https://www.today.com/food/dunkin-reveals-security-breach-here-s-what-it-may-mean-t144139 Dunkin Donuts Release: https://www.dunkindonuts.com/content/dam/dd/pdf/Security_Update.pdf For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.  DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode James talks about what credential stuffing is, how if affects your apps, and how you can look to defend against it.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

James talks about the Facebook breach and shares some insights into how you can take steps to prevent this type of incident in your applications.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

I sit down with Eric Johnson to talk about security in the IDE and other fun topics. A bit longer than usual, but full of great information.  You can reach out to Eric on twitter @emjohn20  or check out his site at https://www.pumascan.com. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@developsec.com for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.