“Previously known as Broken Authentication , this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures.” ( OWASP ) Kenny Loggins is a famous singer and songwriter spanning multiple decades. If you’re not familiar with his work, just think of Footloose, Caddyshack, or Top Gun, just to name a few. I celebrate his entire collection. Let’s briefly review the basics of identification and authentication.

Some of you may be using Artificial Intelligence (AI) at work or in your personal life.  It’s great, isn’t it?!  We work faster by enhancing our productivity!  We’re more creative!  We can get access to real-time information super-fast!  I don’t mean to scare you, but with all good things, risks are also involved.  Let’s explore how to use AI safely and be smart about it.    AI clearly saves time.  It can assist with research and analysis.  It can help generate content quick

https://medium.com/@jencracchiola/the-universe-works-in-mysterious-ways-7095ece9c9be The day my brother proposed to his girlfriend was...

Quick, name that hip hop group! (OK, that might not have been the exact song lyrics, but some of you may have gotten it.) What is an Insufficient Transport Layer Protection Vulnerability? This is a security weakness that happens when applications do not protect network traffic, which can lead to sensitive data being exposed, intercepted, and used to steal information. The lack of protection can occur due to a number of reasons, such as the use of weak encryption algorithms o

Under my umbrella, -ella, -ella, -eh, -eh, -eh Securing sensitive data stored and transmitted within our applications is a significant concern. To address this, we need robust encryption, strong access controls, and a thorough understanding of data protection techniques. In this article, we'll explore the importance of using data protection in our applications. “With Little Miss Sunshine, Rihanna, Where you at?" An Umbrella Analogy An umbrella and data protection both act

Don’t just dump every random thought into the logs. Keep it tidier than a hedgehog’s home! Unless it’s a hedgehog party—then all bets are off. If there's a bustle in your hedgerow, don't be alarmed now. It's just a spring clean for the May queen...to prevent log forging. Log forging, not log foraging-though the hedgehog is awfully cute, is a type of log injection (man-in-the-middle) vulnerability.  It can occur when an attacker manipulates a log file by creating a new entr

In the world of cybersecurity, a beaver's habits can teach us valuable lessons about the importance of logging and monitoring. While beavers are renowned for their engineering skills, particularly when it comes to building dams with logs, we, too, can learn from their example. Security Logging and Monitoring failures are in the Top Ten of the OWASP 2021 list, at number 9, but there’s no direct vulnerability that can be exploited. Yet it remains a vulnerability and can be d

TL;DR: Fuzzing is an automated dynamic software testing method that improves software security and reliability by feeding programs a wide range of random or unexpected inputs to detect crashes, errors, and vulnerabilities, including zero-day exploits. It is cost-effective, efficient, and particularly adept at uncovering issues like SQL injection and cross-site scripting attacks, enabling developers to identify and fix bugs early in the development process for better, more se

I wrote an article titled “Broken Access Controls—Protect The Fortress!” as we dove into authentication and authorization, and what happens when access controls fail. For a brief refresher: Authentication: Are you who you say you are? Access control: now that we know who you are and what you're attempting, do you have the access to do so? Specific best practices can be followed to accomplish proper access controls. In this article, we’ll be covering how to implement robu

I wrote an article titled “Vulnerability Highlight: Beavers, Insufficient Logging and Monitoring,” and we learned about Insufficient Logging and Monitoring at a high level... and beavers. I also wrote an article titled “Breach Please! Use of proper logging and monitoring to avoid security breaches!” In this article, we’ll take a deeper look into the importance of comprehensive application logging for detecting malicious activity and how it can help investigate security incid

Oh my sweet Lord, and I say that not to use his name in vain, but wow, folks, just wow…we almost had to cancel Christmas. Last weekend I cleaned out our storage area in the basement. I tossed a lot of things. I didn’t see anything scurry or scamper around while down there, but I did notice quite a few decorations were destroyed. Disappointed, I swept things up. Fast forward to earlier today… While singing along to Christmas tunes playing on our Amazon device (this is not a sa

As I unpacked our Christmas decorations this year, a gentle nostalgia filled the air. Memories of Christmases past came flooding back—the year we discovered the nativity nestled in a hot pink feather boa, Baby Jesus beside a mummified mouse, and the time the new nativity figures dwarfed the tiny barn. I even found myself smiling at the memory of Baby Jesus being spirited away at a raucous Christmas party so many years ago, held captive as a playful holiday secret. But this ye

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k.” (OWASP.org) What is broken access control? Let's take a step back and talk about access control. Companies follow the principle of least privilege, which basically says, “Hey, we only grant access for certain things, and you can't do things outside of your

In a previous article, I discussed cryptographic failures. Well, we’re gonna talk about it a bit more. Don’t think of it as a comeback, but a remix? We’ll actually focus in a little deeper on these three areas of Cryptographic Failures: Exposed Key/Poor Key Management Insecure Randomness Weak Algorithm Use/Inefficient Algorithms For a brief refresher, what is a Cryptographic Failure? It’s a symptom, not necessarily a cause! It’s a security vulnerability that happens when a th

No, XSS isn't a shirt size. It stands for Cross-Site Scripting. These are attacks when an attacker injects a malicious script into a trusted website in a user-provided input. They might use a web application to inject the malicious code. This frequently happens when a web application uses input from a user but generates without validating or encoding the data passed. They can also launch an attack by modifying a request. In summary, XSS is a vulnerability that can enable th

OWASP Topic — “A05:2021 Security Misconfiguration” “Moving up from #6 in the previous edition, 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurrences of a Common Weakness Enumeration (CWE) in this risk category.” -OWASP What? Security Misconfiguration? Man, this sounds serious! What exactly is a Security Misconfiguration? They are attacks that exploit weaknesses in configurations found in our web ap

In a previous column, I discussed how to write SMART Goals.  The following column dives in a bit deeper as to how we can use the SMART Goal format when writing PI Objectives and Iteration Goals. Every Program Increment (specifically at PI Planning), we craft and discuss our PI Objectives.  What about Iteration Goals?  Let’s dive into each a bit more. What is a SAFe PI Objective? It’s a summary of the business and technical goals, written in a common language for business and

Have you ever heard of Shu Ha Ri before?  No?  Well, you will now, grasshopper! Shu Ha Ri is a Japanese martial arts concept.  Remember Mr. Miyagi from the classic 1984 movie Karate Kid?  “Wax on, wax off.  Wax on, wax off.”  Shu Ha Ri describes the stages of learning to mastery.  Learning is not a linear progression!  It’s a never-ending process of continual growth and improvement.  You can easily apply these concepts in Agile. Shu Shu literally means to “obey”.  This is the

Let’s learn about HSTS Max-Age Directives. Is it just me, or does this sound like something out of RoboCop or Wall-E? What is your directive LOL? Ok seriously now, what are we talking about? Let’s start with the basics. HTTP Strict Transport Security, or HSTS, is a response header that improves a site’s security as it instructs the browser to always use HTTPS instead of HTTP when visiting your site. It helps to protect against man-in-the-middle attacks and other vulnerabilit

I got your attention, didn’t I? HTTP response security headers are a fundamental part of website security and are easy to implement too! As a subset of HTTP headers, they are exchanged explicitly between a client and a server to specify security details for HTTP communication. They can help prevent modern browsers from easily falling prey to preventable vulnerabilities and protect against common attacks, such as cross-site scripting (XSS), clickjacking, information disclosure