Web Application Security Resources

There are a many security resources available to help explain and address potential vulnerabilities with the most common commercial software products. However, when an enterprise employes a custom application the security landscape changes drastically. Many web applications go through rapid development phases with short turnaround time, making it difficult to address security weaknesses and vulnerabilities. Custom application code is often untested, and attackers are focusing upon these security flaws to compromise system components or otherwise gain access to confidential data. Integrating multiple secure systems does not necessarily result in a secure application. Even if your systems are well secured and up to date with the latest bug-fixes or patches, an attacker still has several options to exploit a web application:

• An attacker might resort to social engineering and phishing
• An attacker might focus upon the manipulation of the vulnerabilities inherent in the application
• An attacker might focus upon the integration of subcomponents

Application Security Assessment

Many years of experience have shown me that serious flaws are present in most software I tested, both that developed in-house and in commercial-off-the-shelf (COTS) applications. An application security assessment identifies and validates potential vulnerabilities in web applications. This part of the site is dedicated to collect resources often needed during an application security assessment. At the moment, this is far from complete.

• Cross Site Scripting - XSS
• HTTP request and response types
• Application security links and resources