by Bhaumik Shah | Jul 27, 2017 | InfoSec Strategies
In recent web application assessments, I’ve found a number of client applications that have cross-origin resource sharing (CORS) vulnerabilities—which I flagged as Critical because they left the application wide open to a range of potentially very damaging attacks....
by Bhaumik Shah | Mar 14, 2017 | InfoSec Strategies
If you’re a web application developer or security professional, chances are you’ve heard at least a little about the OWASP Application Security Verification Standard. Currently at version 3.0.1 and reflecting a wealth of industry feedback, this community-led project...
by Bhaumik Shah | Feb 7, 2017 | InfoSec Strategies
During a recent audit, I saw a problem with AppSec (application security) testing in the client’s software development lifecycle. They were embracing DevOps practices (the integration of software Development and IT Operations), but had so far failed to integrate...
by Robert Gorski | Apr 21, 2016 | Phishing
Recently I did some onsite application penetration testing for a client where I noted in the report that their application did not tell the browser to turn off auto-completion of the user’s password. The OWASP guidance considers this an issue, and we’ve been flagging...
