Recently a client of mine sent over the results of a web vulnerability scan that one of their customers had run against their production web environment. My client was curious why the results of this third-party scan were different from my findings just a few…
Author Archives Kevin Beaver
THE AUTHOR
Kevin Beaver
Improving Web Security by Working With What You’ve Got
As I wrote about in a previous post, we’re in the era of cutting back – if not completely eliminating – all non-essential expenditures. The thing is what may seem to be non-essential to management may actually be essential to the business. There could just be…
Explaining the “why” of Web application security
Looking at the bigger picture of application security it seems that no one else really hears us. Sure, product managers, marketing, legal, HR and even certain people in management say they understand what’s at stake. But are they really on board? Business leaders have learned…
SQL Injection – The Web Flaw That Keeps on Giving
It’s hard to believe, but SQL injection as we know it has been around for 13 years. Yet, SQL injection is as prevalent as ever as highlighted in The 2011 Mid-Year Top Cyber Security Risks Report. Back in the dot-com era of 1998-99, you may…
"Time to market" no longer the security excuse
If you’ve heard it once you’ve probably heard it a thousand times: time to market is critical. Indeed, when it comes to software development, many business executives, marketers, product managers and sales weasels live and breathe by this mantra. Just get it out the door…
Getting employees on your side to improve Web security
We often hear about “disgruntled workers” wreaking havoc on computer systems and sensitive information. Interestingly we never hear about what I call “gruntled workers” and how they can — and do — contribute to enterprise security. Getting the attention of your employees and having them…
Properly Scoping your Web Security Assessments
I’ve heard experts in time management say that one minute of planning can save you five minutes in execution. This applies to so many things we do in IT and information security but I can’t think of anything more important than security testing. Applying the…
How Much Web Security is Enough?
A good web application security environment is one that balances security with convenience. Nothing more and nothing less; just the security that’s needed to keep things reasonably in check. But just how much is enough? All too often I see websites and applications with too…
The Cure for Many Web Application Security Ills
One of the things I’ve learned throughout my career is that many solutions to the problems we face in IT, security and software development can be solved if we simply turn to business leaders to see how it’s done. In particular, I’m talking about a…