Web application security

You may need to do a quick third-party registration to access certain ones.

Articles

• Your Scanning Experience Determines Your Scanning Success
• What can Developers do to Better Protect PII?
• Finding Web Flaws is not Point and Click
• Responding to DoS attacks at the web layer
• Should you Test Development, Staging or Production?
• Mobile app software: Avoid the perpetual cycle of insecurity
• Hybrid security: Beyond pen testing and static analysis
• Don’t Let Problems Stop You From Carrying Out Web Application Testing
• Mac Malware Underscores Why You Can’t Ignore Web Security Threats
• Do You Scan with Network Security Controls Enabled or Disabled?
• Take Care in Handling the Results of Your Web Application Testing
• The Value of Web Exploitation
• Web Application Firewalls and the False Sense of Security They can Create
• Not All Web Vulnerabilities Are What They Appear to Be
• The One Web Security Testing Oversight You Don’t Want to Miss
• IT Geek Speak and What Management Really Needs to Hear
• There’s more to web security than meets the eye
• Web passwords are often the weakest link
• To validate or not, is that the question?
• Protecting FTP services running on your Web server
• The critical Web-based systems that are going untested and unsecured
• Good Web Security Tools and Why They Matter
• Why you need intruder lockout
• Web security is like the layers of an onion
• Building and deploying secure video and access control systems (a.k.a. ethical hacking tips and tricks for video and access control systems)
• How can you avoid a Web security breach? It's all in the preparation.
• SharePoint security should not be an afterthought
• Explaining the why of Web application security
• Improving Web security by working with what you’ve got
• Not all Web vulnerability scans are created equal
• Why people violate security policies
• How to know if your website has been hacked
• Getting users on your side to improve Web security
• Time to market is no longer the excuse
• SQL Injection – The Web Flaw That Keeps on Giving
• Properly scoping your Web security assessments
• The cure for many Web application security ills
• How much Web security is enough?
  
• Dark Cloud Looming?
• What’s your take on cloud security?
• Firewall change management and automation can curb human error
• Do Web application firewalls complicate enterprise security strategy?
• I wouldn't want to be a developer these days
• Don't overlook the importance of authenticated testing
• You can't change what you tolerate
• Testing for weak passwords: a common oversight without a great solution
• How often should you test your web applications?
• Notable changes in the PCI DSS 2.0 affecting Web application security
• Building solid security requirements
• Security oversights in the cloud: Asking the tough questions
• Why current application security measures fail
• Why do so many people buy into “checklist” audits?
• Ways to avoid email floods when running Web vulnerability scans
• Web server weaknesses you don't want to overlook
• SQL injection tools for automated testing
• Beefing up SSL to ensure your applications are locked down
• Common security flaws to check for on your Linux-based Web systems
• Getting developers on board with security – once and for all
• Application security checklist: Finding, eliminating SQL injection flaws
• Finding cross-site scripting (XSS) application flaws checklist
• Web security oversights: Don’t overlook the “small” stuff
• Domino security vulnerabilities to watch for
• Getting started with hardening Domino
• The new OWASP Top 10 for 2010 - Risk and Realities
• Why use POST vs. GET to keep applications secure
• Security best practices for today's Web 2.0 applications
• Authenticated XSS - problem or not?
• Looking past Layer 7
• The Top Web Vulnerability We Face
• Find unexpected vulnerabilities to ensure cloud compliance
• Changes coming to the OWASP Top 10 in 2010
• Free Web proxy tools you need to get to know
• Securing Web servers in Windows environments
• Finding cross-site scripting (XSS) application flaws checklist
• Testing rich Internet applications: 2009's best free tools
  
• How often should I change the passwords for my bank and other important online accounts (a Women's Health magazine piece I contributed to)
• Web 2.0 application security troubleshooting, testing tutorial
• Essentials of static source code analysis for Web applications
• Web security problems: Five ways to stop login weaknesses
• Fixing four Web 2.0 input validation security mistakes
• Spotting rich Internet application security flaws with WebGoat
• Testing rich Internet applications for security holes [go to article]
• Is all the PCI DSS compliance whining and complaining justified? [go to article]
• Scoping your Web app security assessments for success [go to article]
• Common software security risks and oversights [go to article]
• The role of quality assurance pros in software security [go to article]
• Using the Firefox Web Developer extension to find security flaws [go to article]
• Cloud computing and application security: Issues and risks [go to article]
• Web application security gaps not fixed in 2008 [go to article]
• Five predictions for Web security trends and changes for 2009 [go to article]
• Ten Ways to Protect Your Web servers [go to article]
• Web Services: An overlooked entry point for attack [go to article]
• Cross-site Scripting 102 - How it actually works [go to article]
• AJAX Security - Is anyone listening? [go to article]
• The realities of using WAFs for PCI DSS 6.6 compliance [go to article]
• The realities of PCI DSS 6.6 application code reviews [go to article]
• Free tools that can improve IIS security
• Writing software requirements that address security issues
• Getting started with web application misuse cases
• The Essentials of Web Application Threat Modeling
• Web application hacking: Inside the mind of an attacker
• Cross-site scripting 101 - The essentials [go to article]
• Cracking passwords the Web application way [go to article]
• The Fallacy of SSL [go to article]
• How to get developers to buy into software security
• Eight reasons to do source code analysis on your web application
• What to do after penetration testing: source code analysis
• What to expect of a third party Web application security tester [go to article]
• What to look for in a Web application security testing tool
• Free web application security testing tools you need to get to know
• Software security tools to improve your skills in a single day
• Web application vulnerabilities you don't want to overlook
• Interpreting the Results of a Vulnerability Assessment: How to Focus on What’s Important in Your Web Application Security Testing
• Web application security testing checklist [go to article]
• Step-by-Step Guide: Securing Web Servers [go to article]

Webcasts

• Common security-related oversights, assumptions, and blunders in software testing
  Security comprises a significant portion of the overall quality of software yet we continue to see software flaws that create unnecessary business risks and lead to application-level data breaches. In this webast, I explore the causes of gaps in the software testing process and offers suggestions on how to fix them.

• Focusing on what's important with your Web application security scanning and testing
  Web application security affects every business in some capacity. Regardless of the industry, there are certain Web security weaknesses you can’t afford to overlook and steps you must take to find them. In this webcast, I share what you need to know in order to find Web security vulnerabilities in your environment.

• Essential Elements of Web Application Penetration Testing
  In this webcast I show you how to maximize the value of your penetration testing efforts and the security of your Web applications. Just the essentials of what you need to know.

Podcasts

• Web scanning security testing 
  What should be the first step in Web application security testing? What is the difference between penetration testing, ethical hacking, vulnerabililty scanning and source code analysis? I answer these questions and others in this podcast in which I explain how your organization can focus what's important in security testing.

• Podcast: Security testing blunders
  In this podcast, I talk about the importance of security testing and how to get management buy-in. I describe the most common application security flaws and outline why the biggest oversight when in security testing in inaction. Tune in as I describe a game plan that will help you move your security testing efforts forward.   

• Hacker-Proof Your Applications
  
  
• Web Security Basics for Physical Security Pros