Thursday, March 24, 2011
OWASP Top 10 Tools and Tactics @ InfoSec Resources
I've been a busy lad of late and haven't been keeping up on posts, but I have been turning out some work elsewhere.
If you haven't already taken note, checkout my second installment for InfoSec Resources, specifically OWASP Top 10 Tools and Tactics.
It even made #4 on Reddit under NetSec and was March 24th's Post of the Day on PenTestIT. ;-)
Software will always have bugs and by extension, security vulnerabilities. Therefore, a practical goal for a secure software development lifecycle (SDLC) should be to reduce, not necessarily eliminate, the number of vulnerabilities introduced and the severity of those that remain.
Exploitation of just one website vulnerability is enough to significantly disrupt online business, cause data loss, shake customer confidence, and more. Therefore, the earlier vulnerabilities are identified and the faster they are remediated the shorter the window of opportunity for an attacker to maliciously exploit them.
The conclusion is therefore simple: reduction and remediation of web application security flaws will shrink the number of attack vectors and improve security posture. Ground breaking, right? No, it’s old news, “security posture” is a worn out buzz phrase, and if everyone was diligent about the above mentioned reduction and remediation, we’d likely not need a Top 10 list or a 12th Website Security Statistic Report (count on one). But hey, then we’d have to find different work, right?
Gifford Pinchot once said “Never bet on a race unless you are running in it.”
As solutions are always better than complaints, let’s discuss how to get in the race with some tooling options as we explore each of the Top 10.
You know I'm an SDLC fan, and an ardent supporter of OWASP. This article blends those passions along with some insight as to how I conduct web application vulnerability research.
Note: Over the next few months, I'll be drilling into to each of the OWASP Top Ten, exploring the specific vulnerability and the aforementioned tooling and tactics to aid in better discovery and mitigation.
Look forward to those followup articles at InfoSec Resources.
Hope you enjoy.
You can have data without information, but you cannot have information without data. ~Daniel Keys Moran Here we resume our discussion of ...
It's rather hard to believe, unimaginable even, but here we are. This is the 120th consecutive edition of toolsmith; every mon...
You've likely seen chatter recently regarding the pilot Hack the Pentagon bounty program that just wrapped up, as facilitated by Hacker...
I'm a bit slow on this one but better late than never. Steph dropped her HIBPwned R package on CRAN at the beginning of June, and it...