What is Security Code Review and Secure Coding? How important is it? Are Security Code Review and Secure Coding part of your Application Security program?
Code Review is a process that a person (usually Application Security Engineers or another developers) reviews all or part of the code written by another developer. Security Code Review means a Code Review that attempts to find security related weaknesses in the code.
Secure Coding is the practice of writing applications in a way that protects itself against known vulnerabilities.
It mostly depends on the company! Manually code review is time consuming so if you…
Do you run Threat Modeling sessions regularly? Do you have any specific method to do that?
There are several methods for doing Threat Modeling. You can read about 12 available methods here. All of the available methods were made in a time for a specific purpose, but now you can use which one fits your requirements.
In this article, I’m going to show you a very simple and easy method (but effective) to do your Threat Modeling. I suppose we are going to Threat Model an application with just one functionality(User Registration). Here is a simple Data Flow Diagram:
In this blog post, I want to teach you a simple method to easily find Reflected XSS vulnerabilities. We only need BurpSuite (Pro) with “Reflected Parameters” (This extension needed BurpSuite Pro — You can find free ones on Github: https://github.com/elkokc/reflector) and “XSS Validator”.
2. In “Extender => BApp Store” install “XSS Validator”
In this blog post, I want to show you, how to find XSS vulnerabilities with help of Sqlmap!
1 — Find URL’s with parameters
2 — Pass the ‘URL with the parameters’ to sqlmap => sqlmap -u https://xss-game.appspot.com/level1/frame?query=test
3 — If sqlmap found any reflected value or potential XSS, informs you!
4 — Verify the XSS vulnerability with your browser (with a list of XSS payloads)or any other tools.
I hope this will be useful.
Application Security Engineer