Are Automated Scans Enough to Detect All Security Problems in an Application?

Automated Scanners Are Great Tools, But Are They Enough? Spoiler alert: No, automated scanners alone cannot cover all aspects of a holistic application security plan. However, I suspect more details are in order, so I can’t end it here. For this post, we’re really talking about two main types of automated scanners: Dynamic Analysis Scanning […]

Cross-Site Request Forgery – All You Need to Know          

Introduction to Cross-Site Request Forgery (CSRF) The Cross-Site Request Forgery (CSRF) vulnerability category spent over 10 years in the OWASP Top 10 (until the 2017 release), yet a large percentage of the development community still doesn’t understand the risk. Our team conducts hundreds of security assessments per year, and the results still show a high […]

Authentication vs. Authorization – What is the Difference?

What is the Difference Between Authentication and Authorization? When talking with developers, or pretty much any non-security person, I find that people typically confuse the terms “Authentication” and “Authorization”. Most of the time, non-security persons equate the two terms and don’t realize what the difference is between them. So let me do my part to […]

Top reasons to turn your team of developers into security champions

TOP REASONS TO TURN YOUR TEAM OF DEVELOPERS INTO SECURITY CHAMPIONS Current trends in the IT world consistently reveal a pattern of increasingly-sophisticated cyber-attacks on businesses, end-users, and software applications. The BSIMM 2016 survey indicates there is a significant shortage of software security engineers (AppSec engineers); 95 firms across six industries indicated that for every […]

Buffer Overflow Attacks – All You Need to Know

Defining, Understanding and Preventing Buffer Overflow Attacks Buffer Overflows have been a critical and powerful attack vector used for decades by cybercriminals to exploit applications. Though not as common as attack methods such as XSS (cross site scripting) or SQL Injection, buffer overflow attacks can allow custom code execution in a system, typically after crashing […]