A short while back we released ExploitMe Mobile (EMM), our free, open source project demonstrating common Mobile Security vulnerabilities  in the iOS and Android platforms. ExploitMe Mobile is a training platform built based on the common Mobile Security and Application Security pitfalls. The objectives of the ExploitMe Mobile training platform are: Capture the common security…

A couple of weeks ago I posted an article on managing security requirements on agile development at InfoQ. I was pleasantly surprised to see a number of development / agile folks respond positively to the article on the Twitterverse. In fact, I think this article got more attention from developers (not just security focused ones)…

In the last entry on cultural challenges in application security series, we introduced the “Security is Special” problem. We described the problem where application security issues hold a trump card over other development issues, and how that can erode the relationship between security & development. In our experience, insisting on high priorities for all security issues is one of…

By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly other sites. While it’s not immediately clear how malicious attackers got a hold of the passwords, several people in the security community have pointed out that LinkedIn did not follow best practices for password storage. This deviation from best…

What is phishing? How do people lose account information online and how do attackers trick you into providing information online? Watch this video to learn how you can protect yourself against different Phishing methods and what Phishing is. At Security Compass, We’d like to give you some steps you can follow to protect yourself against…

Once upon a time driving a car was substantially more dangerous than it is now. Manufacturers were not held liable for accidents caused by their processes. Then everything changed. Now car manufacturers build safety into their car design right from the start. Software developers have also begun to try and build more secure applications. The…

I’m really excited to introduce you to a great new Security Compass video series on Safe Online Banking. These videos are for the everyday banking user (like you and me) who sometimes gets a bit concerned with the “safe”-ness of online banking. Even if we trust our banks to protect us, criminals have many sneaky…

Last year we released a paper called the “The Secure Web Application Framework Manifesto” in the hopes of influencing web application framework developers to include more security features natively, or at least optionally, out-of-the box. Subsequently we made the paper into an OWASP project. Recently, Mark Curphey posted a blog entrycriticizing the state of OWASP and…

Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, are not so obvious. The following list…

by Rohit Sethi and Yuk Fai Chan The Problem We have a pervasive problem in our field. We lump two disparate classes of security weakness together. Some articulate the difference as “business logic” vs. “technical” or “semantic” vs. “syntactic”. I’d like to build on a familiar term to developers: “domain”. Each kind of software weakness…