Application Security Tools

Post: Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, […]

Post: The PHP Protocol, Filters and Local File Inclusion

Andrew wrote up some notes for our internal blog about an experience he had on a recent Capture the Flag (CTF) event. I thought they were interesting so we talked and decided to republish them here. <Andrew> I came across an interesting twist on exploiting a PHP local file inclusion vulnerability while participating in a CTF. […]

Post: OWASP Dallas: Implementation Patterns for Software Security Programs

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117. I will be giving an updated version of my talk titled “Implementation Patterns for Software Security Programs.” (See […]

Post: BSides Austin Recap: Implementation Patterns for Software Security Programs

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we’ve seen as we’ve helped firms put together their software security programs. Slides are online: Implementation Patterns For Software Security Programs from Denim Group The abstract for the […]

Post: Developers and QA Doing Security Testing: I’ve Got Management Buy-In, Now What?

One of the things I do is answers questions as an “expert” for the web site SearchSoftwareQuality.com and they recently posted an answer I gave to a question about how to get developers and quality assurance folks to do security testing. You can see my blog post about this here as well as the original […]

Post: Search Software Quality: Who Is Responsible for Software Security Testing?

Search Software Quality published another of my answers to reader questions: When devising an application security plan, how do you get developers and testers to assume responsibility for security when many don’t see it as part of their jobs? You can see my full answer online where I talk about different strategies for assigning responsibility for testing (sorry – registration required). […]