DevelopSec: Developing Security Awareness

We use a lot of platforms and frameworks when we develop an application. These platforms may provide security features, but do you know which ones? James talks about the importance of understanding your platforms and what to consider.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

James talks about the risk of USB thumb drives and their risk using the recent BCBS marketing campaign as an example. (http://www.fiercehealthcare.com/privacy-security/bcbs-alabama-re-evaluates-usb-marketing-campaign-amid-security-concerns).  

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.

James talks about a recent vulnerability report regarding MySpace's Account Recovery system (https://www.wired.com/story/myspace-security-account-takeover/).  He talks about considerations around account recovery and the need to revisit this type of functionality on a regular basis.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.

In this episode, James talks about Interactive Application Security Testing, or IAST. It is a sort of hybrid approach that is similar to both dynamic and static analysis. Listen in to learn more about it.

The video version of this can be found at https://youtu.be/KHSlDletm9I

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

Are you thinking about client vs. server-side input validation?  Curious why each is important and when to use them?  James talks about the basic concepts and how to apply them to create more secure applications.

A video version of this podcast is now available at: https://youtu.be/irO1TOC6-i8

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode I sit down with Geurt van Wijk from IDdriven to discuss IAM and IDaaS. Geurt has many years of experience around Identity and shares some great insights into considerations when working with it. If you typically think of Identity as just a user with credentials and some typical roles, you will want to listen in.

You can get more information about IDdrive from https://www.iddriven.com

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@developsec.com for an invitation.

DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

It was recently reported that an audio driver on HP systems was logging key strokes to a local file.  Accidental?  Malicious?  Instead, we talk about how to try and avoid this from happening in the future.  

Original Article: https://www.cnet.com/news/keylogger-discovered-on-some-hp-laptops-conexant/

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation.

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.  Check out our 30 day advantage.

I sat down with Vittorio Bertocci from Microsoft at the Microsoft Build 2017 conference in Seattle Washington.  Vittorio shared some great insights into Identity and some new things around Azure AD and Azure AD B2C.  Listen in to learn more about some of the interesting things going on.  

You can watch Vittorio's presentation from build at: https://channel9.msdn.com/Events/Build/2017/B8084

To get more information from Vittorio, you can follow him on twitter at @vibronet or check out his website at www.cloudidentity.com

Also, check out this announcement about new authentication SDKs: https://azure.microsoft.com/en-us/blog/start-writing-applications-today-with-the-new-microsoft-authentication-sdks/

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation.

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help.  Check out our 30 day advantage.

Over the years I have had many people ask about encoding before storing data in the database.  Here are my thoughts and recommendations.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation.

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you use hosted content on a CDN? How do you know the file hasn't been modified?  James describes Sub Resource Integrity and how it is used to help detect and prevent loading modified files.  For details referenced in the show about commands and examples, check out our post at https://www.developsec.com/2017/04/16/sub-resource-integrity-sri/

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation.

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you struggle with trying to pick the most secure application platform? Are you focusing on the right questions? James talks about ways to look at application platforms and be secure, no matter which one you choose.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Join the conversations.. join our slack channel.  Email james@jardinesoftware for an invitation.

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you allow users to login into their accounts across multiple browsers or devices? Does this raise a security concern? James talks about how to handle this question and analyze the root issue.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

I am sure you have heard about the AWS service disruption that occurred.  Have you seen how we can learn from this when we look at our own tools and processes?  James talks about how we need to look at our own applications and tools and consider how time has changed the landscape.  There might be more than you think.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

I hear a lot of people struggling with HTTPOnly and Secure attributes on cookies. The names may be confusing to some. Change your viewpoint and it may become easier..

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

We always talk about Forgot Password... But what about Forgot Username? Listen in as James discusses why protecting this functionality is important and the ways it could be abused if not properly handled.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

In this episode, James talks about security questions, or secret questions. We see them used in many different places. People complain they are horrible. So are they that bad that you shouldn't use them?  Is it possible to help reduce the risk with security questions?

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

A few months ago, it was announced that some companies buy stolen passwords off of the black market to help protect their users.  This is done by determining if the user's password was part of that list and forcing a reset.  James talks about the idea and raises some interesting questions.  What do you think about the tactic?

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Are you, or have you, implemented a remember me feature for your application?  What do you remember, username, password, or both?  James talks about some security considerations around implementing a remember me feature for your application.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Do you use MongoDB?  If so, is it exposed to the internet?  Recent news (listed below) had shown that a large number of MongoDB instances are being infected with ransomware.  James talks about the issue and ways to help ensure you are not the next victim.

Link to original article: http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Implementing multi-factor authentication isn't just about a second factor.  There are many considerations that need to be included.  One in particular, how do you handle the user losing their means of that second factor.  James talks about thinking this through.

For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Presented by Jardine Software Inc. (https://www.jardinesoftware.com)

Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.