In my previous article, I briefly went over some of the default security testing options available in existing DevOps deployment tools. In this article, I will cover what can reasonably be included in the DevOps pipeline, and a few caveats faced by security engineers who are trying to add security testing into a fully automated …
Category Archives: Web application security
Gaps in DevOpsSec Part 1
[Part 2 of this article can be found here.] I recently did some work with a bunch of great automation engineers. My task was to assist them with adding some automation with respect to security testing. It was an awesome experience, but it left me feeling a bit worried about the continuous deployment world, as …
WordPress plugin security
The WordPress framework makes it very convenient for website owners(both novice and experienced) to extend the core functionality by adding plugins. The trouble is, installing plugins could potentially increase the websites attack surface. In this post, I will discuss the reasons, and how to limit exposure. WordPress does a good job of securing its framework(the …
Regarding WordPress security
Over the last few years, WordPress has been the subject of much abuse. First from people of questionable intent, who may or may not disclose any security holes they find, and secondly from bystanders who comment on any disclosed vulnerabilities (of which there have been many). However, there are a few important things to note …
Heartbleed: my comments
It has been 11 days since the public disclosure of a major bug in OpenSSL, known as Heartbleed. I have been asked about my thoughts by a few people(both technical and non-technical), and so I find myself writing this blog post. I must mention that security disclosures occur on a weekly(if not, daily) basis, but …
HTTPS security
HTTPS is a secure layering of the HTTP protocol used for communication over a computer network, most notably used on the internet. It achieves this security by using the SSL/TLS protocol, which is the standard as far as securing web applications go. In particular, HTTPS is used by banks, social networks, live streaming services, …
Session riding
I decided to make this post about web application session riding, known more formally as cross site request forgery, following a presentation about javascript malware done at one of the ISG Durban meetings. There are many ways in which a web application can be designed insecure, and much more ways in which to exploit them. …