Application Security Tools

Post: AppSec Concerns: UUID Generation

Background During static analysis, one of the things the application security team checks for is strong random number generation for security sensitive contexts. We see weaknesses in this space quite often for temporary passwords and session identifiers, but an increasingly common variant is for universally unique identifiers (UUIDs). The proposed UUID standard describes a UUID […]

Post: HouSecCon Presentation – SecDevOps: Development Tools for Security Pros

HouSecCon 2015 has wrapped up and the team did a great job putting on a first-rate event. I had the opportunity to give a talk about the tools that development teams use with the goal of educating security professionals and giving them ideas of how to better work together with dev teams to get issues […]

Post: Industry Leaders Collect Public Benchmarking Data Sets to Improve Software Security

On Saturday, March 28, 2015 at the OWASP SAMM Summit in Dublin, a group of Application Security leaders announced a new project that they had been working on since the summer of 2014: the industry’s first public benchmarking data for improving software security. The leaders’ vision is to offer companies a comparative data set, allowing […]

Post: Mobile Application Assessments By The Numbers at AppSecEU

The slides from the OWASP AppSecEU presentation “Mobile Application Assessments By The Numbers: A Whole-Istic View” are online here: Application Security Assessments by the Numbers – A Whole-istic View – OWASP AppSec EU 2015 from Denim Group The abstract for the talk was: By analyzing the data from over 60 mobile application security assessments, we […]

Post: Austin ISSA Slides: Structuring and Scaling an Application Security Program

The slides from my talk at Austin ISSA yesterday are online here: Structuring and Scaling an Application Security Program from Denim Group The title of the talk was: Structuring and Scaling an Application Security Program And the abstract  was: Most organizations understand that the software they develop and deploy exposes them to risk from attackers. […]

Post: Mobile Application Security – Don’t Cheat Yourself

I recently did a webinar on mobile application security where we looked at some statistics pulled from a subset of our mobile security assessments to look at a couple of important issues: Where do the most serious vulnerabilities exist in mobile applications (mobile code, enterprise web services, or 3rd party web services)? What types of […]