“Previously known as Broken Authentication , this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures.” ( OWASP ) Kenny Loggins is a famous singer and songwriter spanning multiple decades. If you’re not familiar with his work, just think of Footloose, Caddyshack, or Top Gun, just to name a few. I celebrate his entire collection. Let’s briefly review the basics of identification and authentication.

https://medium.com/@jencracchiola/the-universe-works-in-mysterious-ways-7095ece9c9be The day my brother proposed to his girlfriend was...

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k.” (OWASP.org) What is broken access control? Let's take a step back and talk about access control. Companies follow the principle of least privilege, which basically says, “Hey, we only grant access for certain things, and you can't do things outside of your

In a previous article, I discussed cryptographic failures. Well, we’re gonna talk about it a bit more. Don’t think of it as a comeback, but a remix? We’ll actually focus in a little deeper on these three areas of Cryptographic Failures: Exposed Key/Poor Key Management Insecure Randomness Weak Algorithm Use/Inefficient Algorithms For a brief refresher, what is a Cryptographic Failure? It’s a symptom, not necessarily a cause! It’s a security vulnerability that happens when a th

No, XSS isn't a shirt size. It stands for Cross-Site Scripting. These are attacks when an attacker injects a malicious script into a trusted website in a user-provided input. They might use a web application to inject the malicious code. This frequently happens when a web application uses input from a user but generates without validating or encoding the data passed. They can also launch an attack by modifying a request. In summary, XSS is a vulnerability that can enable th

OWASP Topic — “A05:2021 Security Misconfiguration” “Moving up from #6 in the previous edition, 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurrences of a Common Weakness Enumeration (CWE) in this risk category.” -OWASP What? Security Misconfiguration? Man, this sounds serious! What exactly is a Security Misconfiguration? They are attacks that exploit weaknesses in configurations found in our web ap

In a previous column, I discussed how to write SMART Goals.  The following column dives in a bit deeper as to how we can use the SMART Goal format when writing PI Objectives and Iteration Goals. Every Program Increment (specifically at PI Planning), we craft and discuss our PI Objectives.  What about Iteration Goals?  Let’s dive into each a bit more. What is a SAFe PI Objective? It’s a summary of the business and technical goals, written in a common language for business and

Have you ever heard of Shu Ha Ri before?  No?  Well, you will now, grasshopper! Shu Ha Ri is a Japanese martial arts concept.  Remember Mr. Miyagi from the classic 1984 movie Karate Kid?  “Wax on, wax off.  Wax on, wax off.”  Shu Ha Ri describes the stages of learning to mastery.  Learning is not a linear progression!  It’s a never-ending process of continual growth and improvement.  You can easily apply these concepts in Agile. Shu Shu literally means to “obey”.  This is the

Let’s learn about HSTS Max-Age Directives. Is it just me, or does this sound like something out of RoboCop or Wall-E? What is your directive LOL? Ok seriously now, what are we talking about? Let’s start with the basics. HTTP Strict Transport Security, or HSTS, is a response header that improves a site’s security as it instructs the browser to always use HTTPS instead of HTTP when visiting your site. It helps to protect against man-in-the-middle attacks and other vulnerabilit

I got your attention, didn’t I? HTTP response security headers are a fundamental part of website security and are easy to implement too! As a subset of HTTP headers, they are exchanged explicitly between a client and a server to specify security details for HTTP communication. They can help prevent modern browsers from easily falling prey to preventable vulnerabilities and protect against common attacks, such as cross-site scripting (XSS), clickjacking, information disclosure

“Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Vulnerability and Exposures (CVEs) mapped to...” https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ Vulnerable and Outdated Components.   Ugh.  Gross.  Sounds like a communicable disease and an outdated vaccine for an application.  Wait, maybe that’s a good analogy.  Let’s roll with it. What exactly is a Vulnerable and Outdated C

What is a SMART Goal ?  It can apply to any goal you set, not just Agile-related ones.  We write our PI Objectives in SMART goal format, but it can also be used to write better sprint goals.  A SMART Goal is scientifically proven to help teams set and achieve goals.  They excel at providing the framework to create a compelling PI Objective or Sprint Goal.  You can even use them for retrospective goals!   Let’s dive in… They give you direction.  A well-planned goal helps you m

Do you look forward to receiving an injection? No? The same applies for our systems! Let’s learn more about SQL injections and how this can impact our applications! “Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences. Notable Common Weakness Enumerations (CWEs) included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and

“Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data.” Cleopatra is making an online purchase of a new sheath dress When I think of cryptographic failures, my mind immediately pictures Cleopatra on her laptop. Close enough, right? For what it’s worth, cryptology really does orig

We’re going to take a deeper dive into Access Controls !  Let’s jump right in.  Broken access controls are the number one vulnerability according to OWASP and the most serious.  This may sound harsh, but the truth is that a malicious attacker has exploited a weak access control point in one of our web applications, taking advantage of a vulnerability.  Broken access controls have been responsible for data breaches, identity theft, financial losses, and reputational damage to

Published on Medium.com Broken access control could be an attacker exploiting these vulnerabilities, or it could be unintended. They could be: Injection flaws: untrusted input injected into an application. Cross-site scripting (XSS): untrusted input is included in a web page output. Broken authentication/session management: the application doesn’t validate or protect information. Inadequate role-based authorization or allowing users to access functionality beyond their permis

Published on Medium.com We have to be super careful with our client’s sensitive data, including PII, financial records, and login credentials. That’s a given! Sensitive Data Exposure occurs when a web application fails to protect confidential information, accidentally or intentionally. Either way, there are serious consequences. Exposed data can then be exploited by malicious actors, ranging from identity theft to financial fraud. One way this can happen is by returning too m

Posted on Medium.com We don’t want a security breach! That’s why we rely heavily on logging and monitoring our applications-without it, breaches cannot be detected. Though challenging to test, it can be beneficial for accountability, visibility, incident alerting, and forensics. That’s why this is in the OWASP Top 10 of vulnerabilities-to help detect, escalate, and respond to active breaches! A security logging/monitoring failure is a vulnerability that occurs when a system/a

Written for Medium.com I’ve always believed that some friendships are meant to last a lifetime, while others are only with us for a season. Each serves a purpose during a certain period, and when that time is over, it’s natural to move on. Some of my friendships date back to high school. Now, at my age, I realize how much I’ve learned from these relationships—no matter how cliché that may sound. My best friend, who is my oldest daughter’s godfather, has been in my life since

What on earth does a Release Train Engineer (RTE) do? The Scaled Agile Framework definition states that “The Release Train Engineer (RTE) is a servant leader and coach for the Agile Release Train (ART).” That’s a mouthful! Well, there’s a lot that goes on “behind the scenes” to keep an Agile Release Train on the tracks. It’s more than just organizing PI Planning! Is it a Release Manager? No, but here’s a highlight of just a few areas that an RTE can help! ● Protec