Vulnerability Assessments

Post: Mobile Application Assessments By The Numbers at AppSecEU

The slides from the OWASP AppSecEU presentation “Mobile Application Assessments By The Numbers: A Whole-Istic View” are online here: Application Security Assessments by the Numbers – A Whole-istic View – OWASP AppSec EU 2015 from Denim Group The abstract for the talk was: By analyzing the data from over 60 mobile application security assessments, we […]

Post: Austin ISSA Slides: Structuring and Scaling an Application Security Program

The slides from my talk at Austin ISSA yesterday are online here: Structuring and Scaling an Application Security Program from Denim Group The title of the talk was: Structuring and Scaling an Application Security Program And the abstract  was: Most organizations understand that the software they develop and deploy exposes them to risk from attackers. […]

Post: Mobile Application Security – Don’t Cheat Yourself

I recently did a webinar on mobile application security where we looked at some statistics pulled from a subset of our mobile security assessments to look at a couple of important issues: Where do the most serious vulnerabilities exist in mobile applications (mobile code, enterprise web services, or 3rd party web services)? What types of […]

Post: Limitations of Automated Tools for Dynamic Web Application Security Scanning

They can only find technical flaws in applications, not logical flaws. Application security scanners identify only around 30% of the most serious flaws that exist in large-scale web software systems. They cannot find the more serious vulnerabilities that are potentially painful to mitigate, such as architectural or design flaws that were introduced before coding or […]

Post: Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, […]

Post: Let’s Talk About Application Attack Surface

Have you ever wondered about your application’s attack surface? What URLs will respond to requests? And what HTTP methods will they respond to? And what parameters can be passed in? You probably think you know what is exposed but do you really? Why is this something you should even care about? I’d suggest a couple of reasons: […]