#appsec
The cornerstone of my phd thesis is hung around two general concepts: universal constraints and the math concept known as a drunken walk.
In the first theory, I am proposing that design patterns themselves operate as a universal constraint. even if a developer is not aware of formal patterns, the reality is that they are constrained to working inside of them. The web has 3 main routing patterns, presentation layers have only 2ish ways to display data, and even SPAs are a combination of eventing patterns coupled against the first two points. Infrastructure requirements of a given language will impact how clean or not clean those all work.
The second theory is that although a person with zero external or internal motivation (aka moves randomly) could move in any direction, they most likely will end up close to where they started. This was used as the basis of trying to track mosquitos. Given an origin location, no outside motivations, you could take the rate of travel coupled with lifespan of mosquito to determine a general guess of area they could travel. But is that likely? The answer is no-- mosquitos mostly don't go very far from where they started.
So how do those two meet? Well, if we assume that developers are constrained by formal patterns, and though it is possible that they could create unique and new innovative solutions-- it is more probable that most software is various rehashes of formal patterns (of various quality).
My hope is, just like we can categorize images quickly to see dogs and cats and apples, we _should_ be able to use the aforementioned to help create geometric shapes that define these design patterns and use ML to identify those shapes in any given website.
Zip-slipping to RCE via Auto-Reload: OpenRefine is prone to critical security vulnerability (CVE-2023-37476). Read more in our latest blog post:
๐ OSI Model Unveiled: Navigating Network Layers! ๐
Explore the OSI model, its seven layers, and the fundamental concepts behind each layer, from hardware at the Physical Layer to user interfaces at the Application Layer: https://bit.ly/3PV1zzz
#OSI #OSI7 #networklayers #communicationlayers #DNS #webapplications #cybersecurity #appsec #apptrana #indusface
Turns out that malicious actors have been doing what I thought about a while ago with DependaBot :thisisfine:
Here is my latest article about the study process for CompTIA Security+. I realize not everyone is a fan of certifications but I needed this one for myself in order to understand Information Security a "bit by bit" better :)
Originally I studied the art of IT and I have a BFA in New Media. I preferred to enjoy learning computer science amidst visual artists at university level - we assembled physical sensors and coded interactive poetry as audio-visual experience designs for web1.0 media, trying to create web2.0 at that time.
Unfortunately almost nobody outside of our circle understood anything we were doing, it was ActionScript machine learning and Flash Media Server video streaming platforms before social media and smartphones.
So here I am again many years later enjoying seeing where the Internet went with all this from a security perspective. I can't think of anything more complex made up by humans than the depths of Cyber Security, of which this is merely the surface.
https://medium.com/cyberpower-telenoia/how-i-certified-with-comptia-security-in-2023-142cdfb5b2
#certification #study #exam #comptia #cybersecurity #security #infosec #appsec
Answering my web #AppSec interview question from the other day!
Question 47: Name some user account enumeration techniques.
1. Error/success messages on login / registration / forgot password pages.
2. Insecure Direct Object References.
3. Timing Attacks (e.g. login).
4. Excessive data exposure on APIs (e.g. /v1/users).
Breakdown of GPU attack:
* Cross-origin iframe should be opaque (can't see fetch response, DOM, or draw to canvas).
* CSS filters on iframe to skew 1 pixel into 2000px black/white square.
* Draw complex SVGs (>16ms).
* Observe time between requestAnimationFrame calls.
* Repeat for 30 min.
* Deduce that render speed *might* imply the GPU saw similarity (think GZIP) between your SVG and the iframe pixel elsewhere onscreen.
https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf
#appsec #webdev #gpuzip
๐ฅ Unauthenticated RCE vulnerability in JetBrains TeamCity (CVE-2023-42793) ๐ฅ
We just disclosed the technical details explaining how a vulnerable Request Interceptor and a few undocumented endpoints led to code execution on one of the most popular CI/CD servers:
Ever wondered what #grayboxpenetrationtesting is all about?
Learn about this hybrid approach that combines elements of both white and #blackboxtesting.
Discover techniques, benefits, and real-world examples in our latest blog post: https://bit.ly/3ZxKsa1
#penetrationtesting #securitytesting #pentesting #whiteboxpentesting #webapplications #cybersecurity #appsec #apptrana #indusface
Congrats to Legit for raising an impressive series B. Proud to be an Advisor to the firm. #swsec #appsec
https://techcrunch.com/2023/09/20/legit-security-lands-40m-to-lock-down-apps-and-dev-environments/
I've received feedback on my #AskAppSec question "should BFFs validate input?" - check out the updated blog post for community insights! ๐ก https://www.lisihocke.com/2023/09/askappsec-input-validation.html #AskInfoSec #AppSec #InfoSec
Infosec folks!
@qtc has too few followers.
He's a former colleague of mine and doesn't post much, but when he does, it's either the release of one of his groundbreaking tools, cutting-edge research, or both.
This is a definite follow recommendation!
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking
Learn more about finding DOM #XSS and instrumenting client-side #javascript using Eval Villain, a tool by Doyensec's Dennis Goodlett (@bemodtwz) !
#doyensec #appsec #websecurity #security
https://blog.doyensec.com/2023/09/25/clientside-javascript-instrumentation.html
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 47: Name some user account enumeration techniques.
Zed Attack Proxy
You can now import Postman definitions into ZAP
https://www.zaproxy.org/blog/2023-09-25-postman-add-on/
Implemented by Vitika Soni as part of Google Summer of Code #zaproxy #appsec #gsoc #postman
โ๏ธ Just 1 day to go!
Join this live #DDoS attack simulation with Karthik Krishnamoorthy, CTO at Indusface, as he demonstrates a wide variety of attacks and mitigation measures.
Heโll demonstrate:
- The limitations of host-based rate-limits
- Building multi-pronged mitigation measures ranging from alerts to captchas to blocks
- Preventing #ddosattacks on #APIs
- How Unmetered DDoS mitigation works
Unfold all the findings in detail - reserve your seat now: https://bit.ly/3PPPRWH
#ddosmitigation #ddosprotection #apiattacks #cyberattack #cyberrisk #waap #waf #firewall #appsec #indusface #apptrana
๐๐๐ญ๐ ๐๐ข๐ฆ๐ข๐ญ๐ข๐ง๐ ๐ ๐๐๐ญ๐ฎ๐ซ๐ ๐๐จ๐ซ ๐๐ณ๐ฎ๐ซ๐ ๐๐๐ ๐จ๐ง ๐๐ฉ๐ฉ๐ฅ๐ข๐๐๐ญ๐ข๐จ๐ง ๐๐๐ญ๐๐ฐ๐๐ฒ ๐ง๐จ๐ฐ ๐ข๐ง ๐๐ซ๐๐ฏ๐ข๐๐ฐ
This feature allows you to define custom rules to limit the number of requests from different sources, such as IP addresses, geographies, or user sessions.
#azure #microsoft #azuresecurity #waf #webapplicationgateway #appsecurity #azureapplicationgateway #appsec #webapplicationfirewall #firewall #ddos #azurewaf #cybersecurity #cloud #cloudnative #cloudsecurity #soc
Answering my web #AppSec interview question from yesterday!
Question 46: How would you recommend a customer fix an Insecure Deserialization vulnerability?
1. If possible, don't pass serialized data via user inputs at all.
2. Use "safe" serialization methods (e.g. JSON, Protobuf).
3. Digitally sign any serialized data, and verify the signature prior to deserializing it.
4. If applicable, perform type checks against deserialized data prior to using it.
I click on links in phishing emails so you don't have to!
Part 1: DHL Delivery ๐งต
#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #Phishing #DHL
Answering my web #AppSec interview question from yesterday!
Question 45: What are some questions you would ask a customer during a web app pentest scoping call?
Many questions would depend on a demo of the application, however here are a few general ones:
1. How much functionality does the app contain (e.g. no. of "pages")?
2. How complex is the functionality (e.g. any learning curves, lengthy processes, etc.)?
3. How many different roles are there / should be tested?
4. Which environment is being tested (e.g. dev, staging, prod)?
5. Do our accounts have access to test/dummy data?
6. Are there any access restrictions (e.g. VPN, IP block)?
7. Are there any custom protocols being used (e.g. proprietary encoding/encryption)?
8. Is there any rate limiting, WAF/IPS in place?
9. Are there any out of scope areas, or vulnerabilities which should not be tested (e.g. Denial of Service)?
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 46: How would you recommend a customer fix an Insecure Deserialization vulnerability?
AppSec Ezine - 501st Edition https://pathonproject.com/zb/?c8d89465d57c59f9#45Gqe95VY83agTotfEDBWkzLDg2h6obeLJy16dCI1C4= #AppSec #Security
First CVE I found: CVE-2023-36829
Blog post: https://paranoidmoth.github.io/CVE%27s/CVE-2023-36829/
๐๏ธ Here are the glimpses of conversation from the recent #SaaSTrana Podcast.
In this SaaSTrana podcast, Mona Salvi (Senior Director โ Product Security, HubSpot) talks to Venkatesh (Venky) Sundar about building a unified org structure and North Star metrics to drive security-related initiatives in a cohesive working environment.
She also shares how to manage three pillars โ platform security + trust & safety + payments fraud together under a single leadership umbrella.
Key highlights from the discussion:
Key highlights from the discussion :
- About Mona Salvi and HubSpot
- Developing the mindset of intrinsic vs. extrinsic security
- Driving secure product experiences along with focusing on core business
- The pillars of platform security + trust and safety + payments fraud
- Breaking the silos between the risk officer and the security officer
- Developing applications at speed without impacting the security
- Building security champions within the organizations
- Building North Star metrics for security teams - Security
an enabler for customers to pick the right vendor of choice
- Protecting from threats caused by OpenAI and LLM tools (The facts on utilizing security co-pilots)
Tune in to the full podcast now! Listen on:
1. YouTube: https://youtu.be/HpLD6OU9OYM
2. Spotify: https://bityl.co/L6V6
3. Amazon Music: https://bityl.co/L6V8
4. Apple Podcasts: https://bityl.co/L6VF
5. Anchor (others): https://bityl.co/L6VD
#cybersecurity #webapplications #openai #LLMTools #productsecurity #cyberthreats #webapplicationsecurity #saas #saassecurity #fraudprotection #saassecurity #appsec #apptrana #indusface
Mave you ever had one of those days where you wake up with a nice cushy backlog of work that will take you through the end of the year and you're thinking "aaah" and then in two meetings eight weeks are added to that schedule?
That was my day so far.
I picked the wrong week to stop sniffing glue.
โ ๏ธ Unauthenticated RCE vulnerability in JetBrains TeamCity (CVE-2023-42793) โ ๏ธ
Attackers could steal source code and poison build artifacts to launch supply chain attacks:
Answering my web #AppSec interview question from yesterday!
Question 44: You find XSS in an application, however the customer informs you that users should be able to submit HTML code. What advice would you give them to remain secure?
The easiest solution is likely to use an HTML sanitizer like DOMPurify with an allowlist of "safe" elements and attributes.
Another option is to use a separate "sandbox" domain to host the HTML code, displaying it using an iframe. Any JavaScript code will run in the security context of the sandbox and will not be able to affect the main application.
As an additional measure, a well-configured Content Security Policy can be used to instruct the browser to only run trusted JavaScript code.
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 45: What are some questions you would ask a customer during a web app pentest scoping call?
๐ The G2 Fall 2023 Gridยฎ for Web Application Firewall (WAF) is out ๐ฅณ and weโre a G2 High Performer once again! ๐
We thank all our customers who helped us get here: https://www.g2.com/products/apptrana/reviews
#waf #webapplicationfirewall #firewalls #wafprotection #webappfirewall #cybersecurity #appsec #apptrana #indusface
๐ #DDoS attacks have increased by 75% in Q2 2023 - State of AppSec Research by Indusface.
Launching a 1-hour DDoS attack costs only a couple of dollars on the dark web.
So, how does one fortify defences to ensure app and #API availability in case of an attack?
Join this live attack simulation with Karthik Krishnamoorthy, CTO at Indusface, as he demonstrates a wide variety of attacks and mitigation measures.
Heโll demonstrate:
o The limitations of host-based rate-limits
o Building multi-pronged mitigation measures ranging from alerts to captchas to blocks
o Preventing #ddosattacks on APIs
o How Unmetered DDoS mitigation works
To unfold all the above findings in detail, reserve your seat now: https://bit.ly/3reqaG5
#ddosmitigation #ddosprotection #apiattacks #cyberattack #cyberrisk #waap #waf #firewall #appsec #indusface #apptrana
RCE in Tutanota Desktop: Find out how a single email could compromise a victim's machine!
The final part of our 3-part series on privacy-oriented webmailers features a parser differential, Electron security, and a blocklist bypass:
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 44: You find XSS in an application, however the customer informs you that users should be able to submit HTML code. What advice would you give them to remain secure?
#OWASP #Ottawa returns tonight @ 6pm at the University of Ottawa STEM building:
150 Louis-Pasteur Private room 117
Tonight we learn about state sanctioned #Cyberwarfare with an investigation of the Vulkan files.
https://meetu.ps/e/MqQDd/tc6qb/i
#AppSec #CyberSecurity #infosec
We will also be live streaming at:
Vamos a la playa! Our team had an amazing time visiting Palma, Mallorca ๐ช๐ธ for our latest company retreat! Lots of fun in the sun and "team building" - auf den Stรผhlen ๐ชฉ๐บ๐๐ชฉ, into the early morning hours!
How do you publicly disclose your #security #vulnerabilities
We used to post them on our forum... sometimes on #GitHub, sometimes via changelog, sometimes not at all. It was pretty haphazard, involved a lot of manual steps, and we needed to do better.
So we decided to throw some #code (and some #nocode) at this problem and centralized it all while keeping a bunch of options open for interested parties ๐
https://community.nodebb.org/topic/17561/security-vulnerability-notifications
Answering my web #AppSec interview question from yesterday!
Question 43: Describe some potential CAPTCHA weaknesses.
1. Replay attacks - using a previously confirmed correct answer.
2. Improper input validation - removing or blanking CAPTCHA-related parameters.
3. Leaked answers - the correct answer appears somewhere in the source code (I once found a CAPTCHA which worked by using CSS to distort text ๐).
4. Low entropy - if the set of possible answers is too small, a brute-force attack may work.
5. Machine learning susceptible - with enough training data, a computer can solve the CAPTCHA.
Answering my web #AppSec interview question from yesterday!
Question 42: Describe three "403 Forbidden" bypass techniques.
1. Using different HTTP methods (e.g. POST instead of GET), or using "method override" headers / URL parameters (e.g. X-HTTP-Method) if a back-end server supports them.
2. Using "Client Origin" HTTP headers (e.g. X-Forwarded-For) to forge our source IP address, bypassing IP-based blocklists.
3. Manipulating the URL path using directory traversal, case modification, adding characters, or double-URL encoding.
Answering my web #AppSec interview question from yesterday!
Question 41: Describe two output encoding techniques and the context in which they should be used to mitigate Cross-site Scripting.
Here's the three most common:
1. Encoding for HTML contexts involves converting the following characters into HTML entities: & < > " '
2. Encoding for HTML attribute contexts is the same, provided all attribute values are quoted correctly. If not, all non-alphanumeric characters should be converted to HTML entities.
3. Encoding for JavaScript contexts involves converting all non-alphanumeric characters into the Unicode encoding format (e.g. \u0022).
Calling all developers: Want to be a security superhero? Get exclusive app security content delivered right to your inbox, for free! ๐ช๐ง Join my newsletter!
#AppSec #SuperDev #StayProtected
newsletter.shehackspurple.ca/developers
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 41: Describe two output encoding techniques and the context in which they should be used to mitigate Cross-site Scripting.
We have just started a new Video Series covering ZAP features, new and old: https://www.zaproxy.org/blog/2023-09-15-zap-chat-video-series/
#zaproxy #appsec
AppSec Ezine - 500th Edition ๐ https://pathonproject.com/zb/?9e7f5af3cc4b2e8e#G6nJi+htygvPaVlAFUUL0v7OziJnjrYr32zM+yDmUdk= #AppSec #Security
Announcing the release of ProtoBurp++ (our fork of ProtoBurp)! ProtoBurp++ is a #burpsuite extension that enables #security researchers to encode/decode and fuzz custom Protobuf messages. It allows for fuzzing inputs using Burp's Repeater, Intruder tools and Active Scanner, as well as proxying traffic from other tools (e.g., sqlmap). Check it out today!
Does anyone know of any kind of standards for applicational logging that define events to log and a format/syntax to log them?
I've found old MITRE CEE and OWASP references below. Are there any others like these?
Please boost if you can.
https://cee.mitre.org/language/1.0-beta1/core-profile.html
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Logging_Vocabulary_Cheat_Sheet.md
Morning keynote by Paul C from the NCSC at #44CON2023. Cracking opening โpeople with backgrounds in blue teaming make good red teamersโ. Breaking down silos is important! Same with devs and #appsec
Nice! first.org published a bunch of examplary vulnerabilities including their CVSS v3.1 and v4.0 score!
All examples are based on real CVEs making them pretty relatable.
These will surely help a lot when you are uncertain how to score a vulnerability.
The examples are divided into the three categories โฌ๏ธ
https://www.first.org/cvss/v4.0/examples
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #AppSec
should BFFs validate input? | AskAppSec - Input Validation https://www.lisihocke.com/2023/09/askappsec-input-validation.html #AskAppSec #AskInfoSec #AppSec #InfoSec
Introducing the all new ZAP Browser Recorder: https://www.zaproxy.org/blog/2023-09-11-browser-recorder/
Implemented by Aryan Gupta as part of Google Summer of Code
#zaproxy #appsec #gsoc
#ProtonMail - great writeup from @sonarsource on mind-blowing #XSS #vulnerability chain leading to attackers potentially reading your messages.
Sanitiser bypass with a neat trick of using CSS cross-fade()๐คฏ
Fascinating read:
#BugBountyTips
#AppSec
๐
https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/
Not long until #CVSS v4.0 will be published (October 01, 2023).
I have discussed the expected changes to the Base Metric Group.
Enjoy reading! ๐
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #AppSec
New blog post: Parsing .DS_Store files with ZAP https://www.zaproxy.org/blog/2023-09-08-ds-store-parsing/
thanks to Skyper
#zaproxy #appsec #ds_store #macos
Answering my web #AppSec interview question from yesterday!
Question 40: In what ways could an open redirect be exploited?
1. A victim could be redirected to a malicious copy of the site and not notice, since the original URL was for the legitimate site.
2. If chained with an SSRF, it could be used to bypass URL validation and reach otherwise prohibited targets.
3. If chained with a misconfigured OAuth setup, it could be used to steal access tokens.
4. If the redirect uses the Location response header, we may be able to perform CRLF injection.
You can now configure the Replacer in the ZAP Automation Framework: https://www.zaproxy.org/docs/desktop/addons/replacer/automation/
#zaproxy #appsec
This is your short reminder that the IT security landscape is changing rapidly.
Before everyone was talking about #ChatGPT, no one cared about #PromptInjection.
Now it's the number one vulnerability on OWASP's Top 10 for LLMs.
Enjoy reading! ๐
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #AppSec #LLM
Answering my web #AppSec interview question from yesterday!
Question 39: Give some reasons why sending sensitive data in a URL query parameter is insecure.
1. URLs are generally logged, by both the server and potentially proxy services in-between the user and application.
2. URLs are also saved to browser history, which may be preserved on shared public computers.
3. The data may be visible in screenshots and screen shares.
4. Users may think it is safe to copy URLs and share them.
5. If 3rd party resources are loaded by the client-side application, the data may get sent as part of the Referer header to the 3rd party.
Stolen with Style: Dive into our technical writeup of a complex Cross-Site Scripting vulnerability we discovered in Proton Mail!
Be ready for a story about parser differentials, sandbox bypasses, and CSS data exfiltration:
Answering my web #AppSec interview question from yesterday!
Question 38: Name some ways TLS / SSL can be misconfigured.
1. Outdated Protocols (e.g. SSLv3, TLSv1.0)
2. Insecure Private Key Sizes
3. Incomplete Certificate Chains
4. Expired / Revoked Certificates
5. Insecure Cipher Suites
6. Lack of Forward Secrecy
7. Insecure Client-Initiated Renegotiation
Hey, Great Lakes region fedifolks:
There is a con in January at a waterpark (I am not kidding) called CodeMash and they are looking for interested sponsors. It is a great, inexpensive, way to get in front of 3000 developers in the region.
If you company is looking to hire, or get your name in front of developers at all, check it out:
https://codemash.org/sponsorship-info/
#codemash #conference #developer #appsec #notmanygoodhashtagsforthis
Answering my web #AppSec interview question from yesterday!
Question 37: What is Server-Side Request Forgery and how can it be detected & exploited?
Server-Side Request Forgery (SSRF) occurs when an attacker can cause a server at the back end of the application to make a "request" to a target it would not normally request from.
It can be detected by looking for parameters which contain references to URLs, hostnames, or file paths, and attempting to manipulate these parameters to see if a request is made to a server we control, or to some back-end service we can detect.
SSRF can often be exploited to retrieve files from within the environment, perform basic port scanning, leak information from request headers, execute code, and even deliver XSS payloads.
If not secured properly, one-time passwords are a lot more likely to be guessed than you think!
Ever since I've learned that #Keycloak's default configuration does not prevent #OTP brute-forcing, I wanted to discuss the topic in detail and raise awareness.
Enjoy reading! ๐
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #AppSec
Introducing Session Hijacking Visual Exploitation (SHVE): A new tool for taking #xss exploitation to the next level - remotely viewing a target's browser
Details on our blog: https://blog.doyensec.com/2023/08/31/introducing-session-hijacking-visual-exploitation.html
Download it today: https://github.com/doyensec/Session-Hijacking-Visual-Exploitation/
Web #AppSec interview questions! Reply with your best answer (and/or share this post!), I'll post mine tomorrow.
Question 35: What is the difference between encoding, encryption, and hashing?
ZAP updates for August: https://www.zaproxy.org/blog/2023-09-01-zap-updates-august-2023/
As you can see - a lot has been going on!
#zaproxy #appsec
Pentesting web applications thoroughly requires you to analyze their #JavaScript.
I've summarized my knowledge from 5 years of pentests into a series of threads.
Enjoy reading! ๐
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #AppSec
Someone is taking the piss, first curl then this rubbish? Whoโs out to ruin it for the rest of us? Incompetence or malice? #cve #appsec #infosec https://www.postgresql.org/about/news/cve-2020-21469-is-not-a-security-vulnerability-2701/
Moodleโs domino effect (2/2): Self-XSS to Account Takeover (CVE-2023-40320).
Learn more about the technical details in our second blog post on Moodle:
#OWASP #Ottawa is returning this fall with an exciting collection of presentations starting this September 20th @ 6pm with an investigation of the Vulkan files.
allies and enemies, my GOTO Chicago keynote is now up for you to enjoy https://www.youtube.com/watch?v=AxqX9ovGViw
it covers my #resilience potion recipe, the five ingredients that matter for systems resilience, and how we can nurture them across the software delivery lifecycle
โฆand, ofc, where we can sprinkle in some chaos
hoping it inspires software engineers to extend existing practices / tools not only to sustain systems resilience but also make attackers miserable โจ
Answering my web #AppSec interview question from yesterday!
Question 32: Under what circumstances is a tab's Session Storage instance preserved?
A tab's Session Storage instance is preserved if the page is reloaded, or if the user browses to another origin in the tab and later returns. If the user closes the tab, the instance is still preserved, provided the browser has the ability to reopen tabs.
In some browsers, Session Storage for tabs is preserved if the browser instance crashes rather than exiting cleanly, allowing users to resume their browsing session.
What makes you angry in cyber security or #infosec? What ticks you off? And why?
#appsec #programming #cybersecurity
WORKSHOP REGISTRATION NOW OPEN
Registration for all our #DEFCON workshops is now live on our site. https://www.appsecvillage.com/events/dc-2023
Be sure to register in advance as spot are limited.
#appsec #applicationsecurity #appsecurity #apisecurity #dc31 #defcon #defcon31
๐ฃ KEYNOTE ANNOUNCEMENT ๐ฃ We are beyond excited to share that Maril Vernon will be joining us at DEFCON for our day 2 keynote.
Maril, known as the โOne Woman Purple Team'' is an award-winning Ethical Hacker, Senior Application Security Architect and Purple Team Program Manager and we just can't wait to hear her talk, "Collaborative Security: Fostering Innovation and Resilient Cyber Practices."
Mark your calendars, you don't want to miss this!
People who use @semgrep, paying customers and free, what would YOU like to learn most? About the tool? About #appsec? About secure coding? About #DevSecOps? I'm planning training, help me make it the most valuable it can be. ๐
What do you get when you combine @semgrep's cutting-edge code analysis, We Hack Purple's passion for community and training, and my infectious enthusiasm? ๐ค๐ Hint: It's a recipe for securing apps! ๐ #appsec
https://wehackpurple.com/we-hack-purple-joins-forces-with-semgrep/
https://shehackspurple.ca/2023/08/04/im-joining-semgrep-and-bringing-we-hack-purple-with-me/
Sometimes when I'm talking to vendors of products that are #AppSec related I get scared for the world. They often seem to make assumptions to what we might need, and I guess those assumptions are driven by market experience. If that's the case then a lot of organisations are barely even getting to the start line for AppSec (or *Sec TBH).
I get enough comments on how 'advanced' our AppSec is, but it's still a million miles away from where I would like it to be. The more I do, the more I realise there's so much more to be done!
@lisihocke just came across this - I love this idea of #AskAppSec - my 2 pence: BSides is a great laugh. I talked at #BSidesLeeds and #BSidesLancs and it was great both times. #AppSec is my day job, and engaging devs and testers I think is one of THE challenges, so this sounds ace!
Hey fellow #cybersecurity and #appsec professionals, hobbiests, hackers and tinkerers. I'm headed to Vegas for #BlackHat2023 and #Defcon31 for the first time in 13 years. It seems like ages and mostly because it's going to be the first time participating as a corporate AppSec lackey and not a vendor consultant, a research analyst, speaker or working for the conferences managing press like in some of the early days*.
Looking forward to seeing some of the (now older) familiar faces and meeting so many of the new folks I've only had the pleasure of making acquaintances on infosec social media from afar, and getting caught up as well as just breathing a bit while getting some training and a certificate.
Come say hi if you see me! #McIntyre
Enterprise #AppSec is one big Milgram experiment:
- #InfoSec is the man with the heart condition
- Product management is the authority figure
- App devs are the subjects
- shocks are increasing levels of insecure code / higher #CVSS scores in unpatched dependencies
AppSec: "Ah! No! I can't take it anymore! I have a heart condition!"
Dev: *looks at product*
Product: "No no, he's fine. I'll accept responsibility. Risk: accepted."
Dev: *adds a poorly implemented graphql endpoint that essentially evals customer-provided code on the database infrastructure*
AppSec: "..."
Dev: "... I think he's dead."
Product: "No no, he's fine. Just keep going. See this CVSS score of 9.9? Neither do I. Let's ship it."
AppSec: *gurgles*
I'm speaking at the very first #ThreatModCon Oct 29th in Washington, DC! Think "Threat Modeling is for Everyone", a full day of threat modelling!
tix = $30-$60 get them here: https://www.eventbrite.com/e/threatmodcon-tickets-631781644907
#threatmodelling #appSec #threatmodeling