#AppSec
Scaling Security in Cloud-Native Environments with CNAPP – Source: securityboulevard.com https://ciso2ciso.com/scaling-security-in-cloud-native-environments-with-cnapp-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard #BestPractices #AppSec
Blog Post: ZAP Development Focus Questionnaire Results: https://www.zaproxy.org/blog/2023-12-04-development-focus-results/
We asked what you wanted us to focus on, and you answered😀
#zaproxy #appsec
SafeCode: новая конференция по безопасности приложений
Привет! Мы решили запустить новую конференцию про безопасность приложений
https://habr.com/ru/companies/jugru/articles/778426/
#appsec #application_security #безопасность_приложений #safecode
🚨 Episode 306 of the @sharedsecurity Podcast is out now, featuring the brilliant @SheHacksPurple
Tanya shares her recent adventures, which include the purchase of her company WeHackPurple by Semgrep.
We also discuss the topic of education within the cybersecurity industry, with Tanya highlighting the lack of training in many organizations. And don't miss a sneak peek into her new book, 'Alice and Bob Learn Secure Coding'.
For our Patreon supporters we have a very special bonus episode where Tanya opens up about leaving safety behind, starting her own company, and her biggest career accomplishment ever. Don't miss this empowering conversation!
If you're not a Patreon yet, you can get a free 7-day trial right now to listen to this episode and all of our other bonus content! Join today: https://patreon.com/sharedsecurity
Watch on YouTube:
https://youtu.be/wUrcs1-p8XQ
Listen and subscribe:
https://sharedsecurity.net/subscribe
#appsec #applicationsecurity #podcast #cybersecurity #education
ZAP November updates:
https://www.zaproxy.org/blog/2023-12-01-zap-updates-november-2023/
Improved modern web app handling and lots of videos.
#zaproxy #appsec
Is anyone using Google MVSP in their application security architecture? I'm a big fan of the OWASP ASVS but always looking for the new hotness.
https://security.googleblog.com/2023/11/two-years-later-baseline-that-drives-up.html?m=1
If you could have ANY #AppSec product or service (even imaginary), what would it be? Which specific problem is #1 for you and your org?
looking back on my personal challenge for 2023: #AskAppSec | A Tester's Journey: AskAppSec - Finding Closure https://www.lisihocke.com/2023/12/askappsec-finding-closure.html #AskInfoSec #AppSec #InfoSec
We Hacked Ourselves With DNS Rebinding - https://www.intruder.io/research/we-hacked-ourselves-with-dns-rebinding #appsec
👉 "As we are in the #Finance Sector, web application security is necessary. And for us, #AppTrana is a cost-effective #WAF solution with really good protection features."
Understand what makes AppTrana #WAAP the go-to choice for the #BFSI and #Fintech companies.
Hear directly from one of our customers - https://bit.ly/47Zk8Zo
#webapplicationsecurity #falsepositives #wafprotection #cloudwaf #apisecurity #apiprotection #appsec #indusface
AppSec Ezine - 511th Edition https://pathonproject.com/zb/?0ff73c6a4cf29227#CbbxSykoX+Wk2hBMF55i4rDMxQgwcxvXL4g2Z7MunEk= #AppSec #Security
We're #hiring experienced #security researchers! Our team takes on some of the most exciting tech from leaders in the industry. Do you have what it takes to join our fully remote team of world-class security researchers? Take a look at our current opening: https://doyensec.com/careers.html
If you're having fun trying to map security requirements from one standard to another, then OpenCRE might be of help. For example, you might have used OWASP SAMM to try to under what maturity levels your org is at, but need to map to NIST 800-53 v5 as that's what your org's policies are based around.
https://www.opencre.org/map_analysis
Also, you have my best wishes for what seems to be a vertically uphill task to do with consistency!
Have you sent XML to your JSON REST service today? You should, because it is really easy to leave the XML parsing on when using third party components for a parsing engine. And XML parsers are WAY worse than JSON parsers.
📣 Excited to announce all your favorite moments from #DEFCON31 are now available to watch on our @AppSec_Village YouTube channel!
Missed a session during the conference, or weren't able to join us this year? We've got you covered 👉 https://www.youtube.com/playlist?list=PLrBLsgTCBQVpyirtbE8d29QVKxpb938QB
☃️ Tis the Season! Consider adding AppSec Village to your list this year, and help us increase our impact on the AppSec community.
New ZAP Chat Video: Automation Framework Part 3
https://www.youtube.com/watch?v=4phnMy9iCPY&list=PLEBitBW-HlsvFEfyWdpLe6IlQoitjaPCX&index=9
Covers the requester and replacer jobs
#zaproxy #appsec #automation
KubeCon 2023: Bridging the AppSec Tools Gap – Source: securityboulevard.com https://ciso2ciso.com/kubecon-2023-bridging-the-appsec-tools-gap-source-securityboulevard-com/ #SecurityBoulevard(Original) #rssfeedpostgeneratorecho #ApplicationSecurity #CloudNativeSecurity #CyberSecurityNews #SecurityBoulevard #Risk&Compliance #SocialFacebook #CloudSecurity #Cybersecurity #Governance #KubeCon #SocialX #Apiiro #AppSec #News
While #AppSec has its technical challenges (for example, CI/CD), the real clincher is how you deal with your customers, the engineering org.
The level of difficulty of working with the engineers partially depends on the company and engineering culture.
It takes a lot of effort and brain power to be considerate of the needs of the developers when it comes to serving them. It takes some real people and communication skills to manage that working relationship.
What other common themes and problems are you aware of when it comes to working in #ApplicationSecurity?
🎄 🕎 🎅 Add AppSec Village to your list this Giving Tuesday! We've been ever so nice!
Help us reach even more villagers in 2024! 👯 👯 👯 👯
AppSec Village is a registered 501c3. We are 100% volunteer-run and reliant on the generosity and support of the community.
#GivingTuesday #AppSec #applicationsecurity #appsecurity #apisecurity
Check out the public assessment report from the Zeal wallet extension & backend. Learn about things to look for in your apps & how our assessments can identify vulnerabilities before the bad guys do.
https://doyensec.com/resources/Doyensec_Zeal_SecurityReport_Q32023_v5_AfterRetest.pdf
Just published a new post exploring Google, Bing, DuckDuckGo and ChatGPT through their content security policies (CSP) in @secutils. Check it out! https://secutils.dev/docs/blog/explore-websites-through-csp #opensource #appsec #microsaas #buildinpublic
CVE-2023-49103 is a vulnerability in #ownCloud that exposes the PHP environment. In containerized deployments, this includes the ownCloud admin password, mail server credentials, and license key.
Patch before your ownCloud instance becomes an ownedCloud instance :blobcatphoto:
#CVE202349103 #Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE
👉 Do you wish to stay updated on the latest #application #securitytrends?
Our state of #applicationsecurity report (Q3 2023) can help you.
It consists an analysis of 2 billion+ attacks and details #ZeroDay, #DDoS, #Bot & #API attack Trends.
The report also includes findings on:
- The top vulnerability exploits along with aging trends of #vulnerabilities
- Geo trends of #cyberattacks
- Industry-based attack trends
- Mitigation methods for open vulnerabilities
Get your copy for free: https://bit.ly/3T1apO5
#cyberattacks #appsec #applicationattacks #cyberthreats #apptrana #indusface
👉 Don't be caught unprepared for a #DDoS attack.
Make this playbook a part of your #ddosmitigation plan to maximize success in fighting against such attacks:
To know more: https://bit.ly/47uVPCX
#ddosattacks #ddosprotection #SOC #devops #waap #webapplications #cyberattacks #managedddos #cybersecurity #appsec #apptrana #indusface
what do you do to practice your security skills? | A Tester's Journey: AskAppSec - Capturing Flags https://www.lisihocke.com/2023/11/askappsec-capturing-flags.html #AskAppSec #AskInfoSec #AppSec #InfoSec
The latest edition of the Illuminated Security newsletter is now winging its way to subscribers. Today’s topic is everyone’s favourite: JSON Web Tokens! Yay!
“JSON Web Token Right Answers"
https://buttondown.email/illuminatedsecurity/archive/json-web-token-right-answers/
The average user of https://cvecrowd.com sends about 9 HTTP requests to the web server.
On November 2nd, TWO MILLION requests were sent from three IP addresses in two hours.
The Anatomy of an Attack 🧵
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #BlueTeam #CveCrowd
Repository Accounts and Administrators
~~
ACM.391 Thinking about software development environments, permissions, complexity, and naming conventions
~~
#cloud #security #appsec #application #code #repository #deployment #aws
https://medium.com/cloud-security/repository-accounts-and-administrators-da29e79ef5b0
My talk about (non-distributed) denial of service at OWASP Manchester is now online! #appsec #owasp https://youtu.be/watch?v=b2o4m-eE-io
Why have trolls have been attacking me since April?
...And why have those same trolls been attacking the same victim, sci-fi author Patrick Tomlinson, for five years?
Watch 👀 or listen to my Conference Keynote:
"Psychologically-Motivated Threat Actors"
https://youtube.com/watch?v=_Ov_jBhsQZk
Slides are linked in the video description! #infosec #appsec #cybersecurity #threatintel
AppSec Ezine - 510th Edition https://pathonproject.com/zb/?35233c39f61243f3#XMHIBjThb3URJ2UdTM7G0J4gOo7nbdu/dIONIh3vwiE= #AppSec #Security
The Client Side Integration add-on now supports passive scanning: https://www.zaproxy.org/docs/desktop/addons/client-side-integration/pscan/
#zaproxy #appsec #dast
New ZAP FAQ: How do I use Chrome with ZAP in Docker?
https://www.zaproxy.org/faq/how-do-i-use-chrome-with-zap-in-docker/
#zaproxy #appsec
A new ZAP Chat video has just been published : https://www.youtube.com/watch?v=1fcpU54N-mA&list=PLEBitBW-HlsvFEfyWdpLe6IlQoitjaPCX&index=8
In this video @psiinon and @yiannis cover the ZAP Automation Framework environment, passoveScan-config and alertFilter jobs
#zaproxy #appsec #automation
Would love your responses to a poll on LinkedIn.
You're working in an #InfoSec or #GRC job when you're told that you're now responsible for the #AppSec programme.
You can go to a training course to help you understand this area better. Which title do you find most compelling?
https://www.linkedin.com/feed/update/urn:li:activity:7132276385028485121
After years of development, we're glad InQL inspired Portswigger to start including #graphql testing functionality in BurpSuite natively.
Try their "early adopter" functionality here: https://portswigger.net/burp/releases/professional-community-2023-11-1
Alternatively, you can try InQL's stable release here: https://portswigger.net/bappstore/296e9a0730384be4b2fffef7b4e19b1f
#doyensec #appsec
Learn all about ZAP Technology Support: https://www.zaproxy.org/blog/2023-11-20-technology-support/
#zaproxy #appsec #dast
💁 CVECROWD UPDATE
https://cvecrowd.com has just been updated to show an indicator of whether a #CVE is in the #CISA #KEV catalog.
The catalog contains vulnerabilities that **have been exploited** in the wild and is a great resource for vulnerability management prioritization.
The indicator on cvecrowd is placed in the header of each affected CVE column and links to the catalog entry.
I hope you find this useful!
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CveCrowd
Calling all developers: Want to be a security superhero? Get exclusive app security content delivered right to your inbox, for free! 💪📧 Join my newsletter!
#AppSec #SuperDev #StayProtected
newsletter.shehackspurple.ca/developers
A new setting to enable for :github: Secret Scanning is “non-vendor patterns”.
This now covers some private keys, database connection strings and web auth headers, and will grow over time: it won’t offer push protection.
For public repos on #GitHub you can enable everything above 👆 for 🆓.
(For private repos on GitHub Enterprise you can buy Advanced Security for this security experience; with new AI enabled features coming soon, on top of what public repos get)
Teaser!
#KEV indicators on https://cvecrowd.com coming soon!
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE #CveCrowd
OWASP Global Appsec Singapore videos are up. I haven't watched them but it looks like some awesome stuff.
https://youtube.com/playlist?list=PLpr-xdpM8wG8d649tc8KpUJuCAPQAjrhm&si=jcGUiJSM7ErO0vew
Theres a new ZAP Chat video - Automation Framework Part 1
c/o @psiinon and @yiannis
https://youtu.be/19Rptj2be1Y
#zaproxy #appsec #automation
From the Blog: @Brightsec and Manas partnered together to create Crystal development tools.
This is the story behind the four new tools:
https://crystal-lang.org/2023/11/15/bright-manas-partnership/
Big hint if you add tasks to a cronfile - don't put credentials like usernames/passwords in your cronfile. Why? Cron likes emailing results, and the email might just include the command line used, including those credentials. It's likely that there's a lot more folks who can see the contents of those emails than can see the contents of your cronfile.
(TBH, you shouldn't be hardcoding credentials anyway...)
When it comes to creating and maintaining secure applications, what keeps you up at night? What do you worry about? What is the worst that can happen? Tell me the worst, and let's see what we can do about it.
#appsec #unsplash #cybersecurity
One of the challenges in #AppSec is ensuring that sensitive information doesn't end up in places it shouldn't. I know about secrets scanning in codebases, but I'm struggling to find anything that does secrets scanning on logs. This feels like a gap between secrests scanning and data leakage prevention.
Does anyone know of any tools that can handle logging?
Server Side Request Forgery is becoming such a problem in this hybrid hosting environment, it made it to the Top 10 at OWASP. (Number 10, but still). I have been seeing it a LOT more in my tests.
Does anyone have any cool exploit writeups for SSRF? I don't usually worry about exploits if it is obviously vulnerable, but I am getting a lot more "But what can you DO with it" and I really just know the basics.
what do you do to make keeping dependencies up to date work? | A Tester's Journey: AskAppSec - Dependency Updates https://www.lisihocke.com/2023/11/askappsec-dependency-updates.html #AskAppSec #AskInfoSec #AppSec #InfoSec
Looks like I’ll be unexpectedly looking for new clients sooner than expected. If you know anyone who needs a #appsec, applied #cryptography, identity & access management (#iam, #oauth, #oidc, #saml) or #Java security expert, send them in my direction please.
See https://www.illuminated-security.com/ for additional services and contact details.
Please boost for visibility, many thanks.
https://cvecrowd.com has received several updates in the past week that I would like to share with you:
• Moved from cve.mitre.org to cve.org (!)
• Implemented limit on exclusive CVE columns per user
• Frontend changes to the home and about pages
Read more below 🧵
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE #CveCrowd
Answering my web #AppSec interview question from yesterday!
Question 61: Explain how CRLF Injection works and describe possible ways it could be exploited.
CRLF (Carriage Return, Line Feed) injection occurs when it is possible to inject those characters (\r\n) into a response header, allowing the attacker to create new lines.
CRLF Injection can be used to create Set-Cookie headers, causing cookies to be created in the victim's browser. This is one criterion for a Session Fixation attack.
If the attacker can inject multiple \r\n and affect the response body, they may be able to perform XSS, redirect the user off-site, or attempt a social engineering attack.
#CveCrowd users, I am currently undecided on how to display posts with multiple CVEs in them (the screenshot is an example).
These alternatives exist:
• List them under each CVE column they mention - means the same post is listed multiple times.
• List them only once. Which CVE column should they be assigned to?
• Don't list them at all.
What do you think?
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 61: Explain how CRLF Injection works and describe possible ways it could be exploited.
What makes you angry in cyber security or #infosec? What ticks you off? And why?
#appsec #programming #cybersecurity
Answering my web #AppSec interview question from yesterday!
Question 59: Describe some methods for bypassing SSRF detection filters.
1. Use different IP address representations (e.g. decimal, hex).
2. Use DNS to resolve a domain to a target IP address.
3. Abuse open redirects and (double) URL encoding.
4. Abuse lax URL validation / parser confusion (e.g. using valid-host@attacker-host or attacker-host#valid-host, etc.)
It's taken me almost a year to write (and edit) my rant about categories and acronyms in cybersecurity. Which acronyms or categories annoy you the most? Security teams don't need more tools, they need efficient ways to mitigate risk and respond quickly to threats or attacks - especially now to keep up with faster development cycles.
https://www.techtarget.com/searchsecurity/opinion/Cloud-native-app-security-Ignore-acronyms-solve-problems
#cloudsecurity #applicationsecurity #appsec #cspm #sast #dast #iast #sca #sbom #ciem #asoc #dspm #aspm #cnapp #cdr #mdr #itdr #ndr #mdr #xdr #edr #cnapp #wapp #devsecops #cybersecurity #infosec #ciso #cso
Answering my web #AppSec interview question from yesterday!
Question 57: Describe the CL.0 variant of HTTP Request Smuggling and how it differs from standard variants (e.g. CL.TE).
CL.0 request smuggling occurs when a back-end server will ignore the Content-Length header in certain instances, while the front-end server uses it. This allows a second request to be smuggled in the first's body.
This differs from standard variants since the Transfer-Encoding header is never used, hence the name CL.0 instead of CL.TE.
Wondering what CVEs are being discussed on Mastodon right now?
I've just launched https://cvecrowd.com, a website that shows you exactly that!
Learn more below 🧵
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE #CveCrowd
Can someone from the #AppSec or #SysAdmin community unpack the impact of https://infosec.exchange/@BleepingComputer/111297610409573448 to me?
My gut feeling is that it's nothing good for privacy.
Answering my web #AppSec interview question from the other day!
Question 56: What are some common OAuth 2.0 flaws & misconfigurations?
1. Insecure implementation of the implicit grant type.
2. Cross-Site Request Forgery (insecure state parameter).
3. Session hijacking via redirection (e.g. redirect_uri).
4. Improper scope validation.
Hey #appsec and #infosec fedi friends: where do you tend to be happy to read blog posts about industry/technical topics these days? I’ve always just collected stuff in an RSS/Atom feed reader, so I’ve never much cared about “social features” of things like Medium or Substack…
But I realize a lot of people *do* care, so: if I want to start a mainly-appsec blog, where would you recommend I do so? Why?
Based on https://www.sonatype.com/resources/log4j-vulnerability-resource-center it seems like 20% of downloads of log4j are for vulnerable versions! Why are so many folks not updating their maven projects to use log4j versions that aren't vulnerable?
Perhaps we'd be better off ensuring that vulnerable versions aren't available any more?
Answering my web #AppSec interview question from the other day!
Question 55: What is formula injection and how might it be exploited?
Formula injection, also known as "CSV Injection" occurs when an attacker can insert Excel-like formula (e.g. =1+1) into an application's CSV export functionality. Since most CSV files are opened in an Excel-like program, the formula will execute instead of displaying the raw data.
This can be exploited by including a malicious formula which executes OS commands, for example the following which opens notepad.exe:
=cmd|'/C notepad'!A1
Other exploits can include data exfiltration via clickable links or DNS lookups.
Formula injection is a relatively controversial vulnerability, since the actual exploitation takes place entirely on the victim's computer, and not within their browser (like XSS). In addition, multiple warning popups generally appear when a user opens a document containing executable payloads, and the user must "willingly" enable their functionality.
#AppSec loves #Agile! At least I think there’s a compelling case to be made. Find out between the private sector and UK government who thought I was preaching to the converted: https://beny23.github.io/posts/appsec_loves_agile/
#BSidesMunich23 was awesome as my first security conference - what are your recommendations for the next? | A Tester's Journey: AskAppSec - BSides Munich 2023 https://www.lisihocke.com/2023/10/askappsec-bsides-munich-2023.html #AskAppSec #AskInfoSec #AppSec #InfoSec #BSides @BSidesMunich
#appsec folks, can you think of any concern with using a pseudorandom sequence (vs a higher quality random) for a response id header (eg x-request-id)? I can't figure out anything nefarious someone could do with that info but maybe I'm not being creative enough
Answering my web #AppSec interview question from the other day!
Question 54: Describe the process of finding and exploiting a Server-Side Template Injection.
1. Identify inputs which may end up in templates (either reflected or stored values).
2. Use a polyglot payload like ${{<%[%'"}}%\ to try and generate template errors.
3. Use several different arithmetic payloads (e.g. ${7*7}, {{7*7}}, <%=7*7%>) to try and detect / verify the version of the templating engine.
4. Check for known exploits of the templating engine for reading/writing files or performing OS command execution.
what makes security champions programs effective? | A Tester's Journey: AskAppSec - Security Champions https://www.lisihocke.com/2023/10/askappsec-security-champions.html #AskAppSec #AskInfoSec #AppSec #InfoSec
ZAP 2.14.0 is here!
https://www.zaproxy.org/blog/2023-10-12-zap-2-14-0/
#zaproxy #appsec
Oof. Storing CVVs, nothing could go wrong obviously. https://www.headforpoints.com/2023/10/12/air-europa-suffers-major-data-breach/ #appsec #fail
If you could wave a magic wand, and "solve" 3 security problems, what would they be? And why?
#appsec #securecode #cybersecurity
Answering my web #AppSec interview question from the other day!
Question 53: Describe the process of finding and exploiting a web cache poisoning issue.
1. Identify unkeyed inputs (usually header / cookie values) using a tool like Param Miner.
2. Test identified inputs for client-side vulnerabilities (e.g. XSS, Open Redirect).
3. Send the payload to the server multiple times until it is cached by the web cache.
4. Verify the exploit by sending the request without the unkeyed input to see if the payload gets returned.
AppSec Ezine - 503rd Edition https://pathonproject.com/zb/?a6370fbb4e09c2b9#RQQxcnM5EkbPcIhkV+KW8ZxwhMtzIjTUBOcl7ChUH+0= #AppSec #Security
Answering my web #AppSec interview question from yesterday!
Question 52: Name some potential attacks against JWTs.
1. Lack of signature verification.
2. "none" algorithm support.
3. Accepting embedded / remote signing keys.
4. Brute-forcing weak keys.
5. Algorithm confusion.