DevelopSec: Developing Security Awareness

You know your development language and platform, but do you really know the ins and outs of web application technology? How well do you know HTTP, HTML, etc? James talks about a few scenarios where r…

In this episode, James talks about authorization and some common areas where it poses a risk. He also goes over some techniques to help test authorization.

For more info go to https://www.developsec…

The Equifax breach was a major news story. James talks about some of the security controls mentioned and how to start a conversation within your organization about them. 

Want to listen on YouTube?  C…

We talk about cross-site scripting (XSS) all the time, but often overlook the ability to use javascript: in anchor tags.  James talks about this unique ability and how to protect your applications fr…

We use a lot of platforms and frameworks when we develop an application. These platforms may provide security features, but do you know which ones? James talks about the importance of understanding y…

James talks about the risk of USB thumb drives and their risk using the recent BCBS marketing campaign as an example. (http://www.fiercehealthcare.com/privacy-security/bcbs-alabama-re-evaluates-usb-m…

James talks about a recent vulnerability report regarding MySpace's Account Recovery system (https://www.wired.com/story/myspace-security-account-takeover/).  He talks about considerations around acc…

In this episode, James talks about Interactive Application Security Testing, or IAST. It is a sort of hybrid approach that is similar to both dynamic and static analysis. Listen in to learn more abou…

Are you thinking about client vs. server-side input validation?  Curious why each is important and when to use them?  James talks about the basic concepts and how to apply them to create more secure …

In this episode I sit down with Geurt van Wijk from IDdriven to discuss IAM and IDaaS. Geurt has many years of experience around Identity and shares some great insights into considerations when worki…

It was recently reported that an audio driver on HP systems was logging key strokes to a local file.  Accidental?  Malicious?  Instead, we talk about how to try and avoid this from happening in the f…

I sat down with Vittorio Bertocci from Microsoft at the Microsoft Build 2017 conference in Seattle Washington.  Vittorio shared some great insights into Identity and some new things around Azure AD a…

Over the years I have had many people ask about encoding before storing data in the database.  Here are my thoughts and recommendations.

For more info go to https://www.developsec.com or follow us on …

Do you use hosted content on a CDN? How do you know the file hasn't been modified?  James describes Sub Resource Integrity and how it is used to help detect and prevent loading modified files.  For d…

Do you struggle with trying to pick the most secure application platform? Are you focusing on the right questions? James talks about ways to look at application platforms and be secure, no matter whi…

Do you allow users to login into their accounts across multiple browsers or devices? Does this raise a security concern? James talks about how to handle this question and analyze the root issue.

For m…

I am sure you have heard about the AWS service disruption that occurred.  Have you seen how we can learn from this when we look at our own tools and processes?  James talks about how we need to look …

I hear a lot of people struggling with HTTPOnly and Secure attributes on cookies. The names may be confusing to some. Change your viewpoint and it may become easier..

For more info go to https://www.d…

We always talk about Forgot Password... But what about Forgot Username? Listen in as James discusses why protecting this functionality is important and the ways it could be abused if not properly han…

In this episode, James talks about security questions, or secret questions. We see them used in many different places. People complain they are horrible. So are they that bad that you shouldn't use t…