DevelopSec: Developing Security Awareness

A few months ago, it was announced that some companies buy stolen passwords off of the black market to help protect their users.  This is done by determining if the user's password was part of that l…

Are you, or have you, implemented a remember me feature for your application?  What do you remember, username, password, or both?  James talks about some security considerations around implementing a…

Do you use MongoDB?  If so, is it exposed to the internet?  Recent news (listed below) had shown that a large number of MongoDB instances are being infected with ransomware.  James talks about the is…

Implementing multi-factor authentication isn't just about a second factor.  There are many considerations that need to be included.  One in particular, how do you handle the user losing their means o…

Yahoo has announced yet another breach from back in 2013 affecting a very large number of user accounts. https://investor.yahoo.net/ReleaseDetail.cfm?&ReleaseID=1004285   This creates an opportunity …

It is the holiday season.  It is appropriate to talk about cookies.  Not the kind that you bake, but the ones in your applications.  James talks about the security mechanisms for cookies and clarifie…

Have you heard someone mention "untrusted" data?  Applications take data from multiple data sources and we are often confused on what should be trusted or not.  In this episode, James Jardine talks a…

Are you an organization looking to do source code review?  Are you trying to hire a pen tester with source code review as a duty?  

James talks about Secure Code Review and some common implementations…

Do you have a clear path for users to contact you about potential security issues in your application or device?  Is there a potential for the communication to be lost in the mix?  James talks about …

Having a penetration test performed against your applications?  Do you have mobile and web applications performing the same functionality?  James talks about the reason behind doing these assessments…

Your pen tester want you to white list them in your WAF?  What should you do?  Why do they ask?  James breaks it down for you in this episode.

For more info go to https://www.developsec.com or follow …

We talk HTTP/HTTPS all the time.  Google just announced that in January they are going to change how they display their secure/not secure indicators for HTTP sites that have passwords or credit cards…

Are your login forms secure?  Are you sure?  In this episode James talks about potential risks with presenting your login forms when using HTTPS and how to avoid them.  We often are focused on HTTPS …

The user interface plays a big part in the security of an application.  We often only look at flaws such as XSS, but here James provides an example of the lack of Input Validation messages creating a…

James discusses how all applications, big or small, are a potential target and need to have secure coding practices.  We often only look at our big applications from a security perspective, but in re…

In this episode, James talks about what Username Enumeration is, how it can be used by attackers, and some ways to help reduce the risk of it. 

For more info go to https://www.developsec.com or follo…

Interesting question was raised around changing a password and the need to invalidate all the access tokens for the associated mobile devices.  James talks about his view on the topic and how you can…

Pokemon Go has taken the world by storm and as always, it brings up some things to talk about regarding security.  In this episode James talks about some out of the box security thoughts regarding mo…

A question came in regarding auto-unlock of accounts and account lockout in general.  James discusses his thoughts on this process and how he approaches these types of questions.

For more info go to …

A question came in around the need for the password confirm box on registration screens and the security implications.  In this episode I respond to the question and give some insights on how to appr…