Making Web application security work is more than simply telling developers they need to write better code. We can scream “Write better code!” and “Integrate security into the application lifecycle!” at developers until end of time but that’s not going to fix the fundamental problems…
Author Archives Kevin Beaver
THE AUTHOR
Kevin Beaver
Web security oversights: Don’t overlook the “small” stuff
I was reviewing the most recent SANS @RISK Consensus Security Vulnerability Alert and it reminded me of how easy it is to get caught up in the big stuff and overlook the seemingly innocuous when performing Web security assessments. The @RISK alert lists 69 unique…
7 Signs You’re Not Ready to Run a Web Vulnerability Scan
Looking to hop aboard the Web vulnerability scanning bandwagon to see just how vulnerable your Web site or application really is? Well, not so fast. Here are some signs you’re not ready to begin just yet: 1. You don’t have any desired outcomes…
Web application contingency plans – the missing link in Web security?
Why are Web applications out of the loop when it comes to contingency planning? Look at any given security incident response or disaster recovery plan (assuming they even exist) and chances are business critical Web applications and related systems are missing. At least that’s what…
Creating a Web security testing policy
If you’re reading this blog, Web security testing is undoubtedly on your radar. You may have an ongoing process for testing Web vulnerabilities but do you actually have a policy for it? I’m all about keep things simple with security and, when you think about…
The new OWASP Top 10 for 2010 – Risk and Realities
Kudos to Jeff Williams, Dave Wichers, and the rest of the OWASP team for pulling together the final release of the OWASP Top 10 for 2010. Obviously, a lot of thought and work has gone into this new version. One thing that really jumps out…
Fighting Web flaws is futile
Do you ever find yourself driving down the road in an unfamiliar place and you get that gut feeling that you’re headed in the wrong direction? Well, I feel that’s exactly where we are with application security – heading in the wrong direction. First off,…
The top Web vulnerability we face
I recently took some time off which gave me the opportunity to clear my head and think about some of the big issues we’re facing with Internet security. I thought if I had to pick one thing, what would be the greatest Web vulnerability out…
Authenticated XSS – problem or not?
Obviously, cross-site scripting (XSS) is a big problem on the public Web. But there’s another angle to XSS that no one seems to be talking about – at least I’m not seeing anything on it. It’s the issue of XSS on Web pages that are…