Are Automated Scans Enough to Detect All Security Problems in an Application?

Automated Scanners Are Great Tools, But Are They Enough? Spoiler alert: No, automated scanners alone cannot cover all aspects of a holistic application security plan. However, I suspect more details are in order, so I can’t end it here. For this post, we’re really talking about two main types of automated scanners: Dynamic Analysis Scanning […]

Cross-Site Request Forgery – All You Need to Know          

Introduction to Cross-Site Request Forgery (CSRF) The Cross-Site Request Forgery (CSRF) vulnerability category spent over 10 years in the OWASP Top 10 (until the 2017 release), yet a large percentage of the development community still doesn’t understand the risk. Our team conducts hundreds of security assessments per year, and the results still show a high […]

Authentication vs. Authorization – What is the Difference?

What is the Difference Between Authentication and Authorization? When talking with developers, or pretty much any non-security person, I find that people typically confuse the terms “Authentication” and “Authorization”. Most of the time, non-security persons equate the two terms and don’t realize what the difference is between them. So let me do my part to […]

Top reasons to turn your team of developers into security champions

TOP REASONS TO TURN YOUR TEAM OF DEVELOPERS INTO SECURITY CHAMPIONS Current trends in the IT world consistently reveal a pattern of increasingly-sophisticated cyber-attacks on businesses, end-users, and software applications. The BSIMM 2016 survey indicates there is a significant shortage of software security engineers (AppSec engineers); 95 firms across six industries indicated that for every […]