Confidentiality, compensating controls, risk transference are just a few of the core information security concepts covered by the CISSP exam – concepts that also happen to impact Web application security. Having recently completed the technical edits for a CISSP exam prep book, these principles are…
Author Archives Kevin Beaver
THE AUTHOR
Kevin Beaver
Take Care Handling the Results of Web Application Testing
How do you handle your web application testing, vulnerability scans, test data and related security assessment reports? I’ve found that this is something that doesn’t get a lot of attention in web application security circles but is still impactful to the business. It’s actually kind of ironic that…
Don’t Let Problems Stop You From Carrying Out Web Application Testing
Web security assessment success is directly related to the amount of preparation you do up front before you run a single web application test. It’s the 80/20 Rule: the 20 percent time and effort you put into planning for the assessment will represent 80 percent of the value…
Do You Scan with Network Security Controls Enabled or Disabled?
As application security professionals, we want to get as much as possible out of our security assessments. We’re not only expected to but we’re proud of our work and want to provide the best results and most value possible. As I’ve written in a previous…
Mac Malware Underscores Why You Can’t Ignore Web Security Threats
Looks like the Mac is finally getting what’s been coming: Mac Malware. And lots of it just recently with the Flashback infection that apparently impacted up to 700,000 Macs. We’ve all heard it from the Mac bigots: One of the main reasons I use a…
Web Application Firewall (WAF) and the false sense of security
A Web Application Firewall (WAF) is an excellent last line of defense. Based on what I see in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to clients all the time. But…there’s…
Not All Web Vulnerabilities Are What They Appear to Be
When performing web security assessments, it’s easy for us to feel confident in what we see. Take Cross-Site Scripting (XSS) for instance. Your scanner finds this web vulnerability. You validate that it does indeed exist. What more is there to do? Well, it depends on…
The Value of Web Exploitation
Is the exploitation of web vulnerabilities worth the trouble? Does it create unnecessary risks that should be avoided? Why exploit flaws anyway? This is not a black and white circumstance. Every situation is unique. But here’s what I know. The exploitation of web security flaws…
IT Geek Speak and What Management Really Needs to Hear
Gerald Ford once said “Nothing in life is more important than the ability to communicate effectively.” What a profound statement that not only applies to our personal lives but also how far we go in our IT careers. There’s hardly anything that can cause IT…