“SBOM” should not exist! Long live the SBOM.This article by Steve Springett, who is at the center of the software bill of materials universe, explains what an SBOM is and why they should exist. In defense of simple architecturesAs security professionals, we love simple because complex is hard to secure. This article is about a 1.7 billion dollar company that runs its web app as a Python monolith on top of Postgres and how this simplified architecture runs a successful application. Alex Mor -- Application Risk Profiling at ScaleHow do you manage appsec when you have thousands of applications in an enterprise? Alex Mor joined the Application Security Podcast to talk about application risk profiling. He defines what it is, then walks through how to scale across an organization. HOW INFRASTRUCTURE AS CODE SHOULD FEELThis article is all about feelings...infrastructure feeling. It dives into how your infrastructurous code should feel; it should feel safe, better, etc. Check it out to understand this new way of thinking. Improving software supply chain security with tamper-proof buildsWe all still, to this day, struggle with the software supply chain. This article, showing how to better create tamper-proof builds, dives into SLSA and the principles you can apply to your software supply chain to make it more secure.

3 Cultural Obstacles to Successful DevSecOps ImplementationWhen our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. Brenna Leath -- Product Security Leads: A different way of approaching Security ChampionsBrenna Leath, head of product security at SAS, visited the Application Security Podcast to share her insight on security champions and how she approaches this role in her organization with product security leads. We hope you enjoy this conversation with...Brenna Leath. How GO Mitigates Supply Chain AttacksThis post, from the GO blog, dives into how this coding language mitigates supply chain attacks. GitHub can now auto-block commits containing API keys, auth tokensIt is vital to keep private information, such as API keys, passwords and authentication tokens, secure. GitHub recently released a new update that scans code for this sensitive information before committing the code to a repository.If you're not using SSH certificates you're doing SSH wrong If you use SSH without certificates, this story may make you uneasy. The author argues why we shouldn't be using SSH with anything other than certificates in the modern day.

1. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy-https://www.usenix.org/publications/l...We conducted our review of threat modeling tools in three main phases: Tool Discovery, Evaluation Criteria Selection, and Application of Evaluation Criteria.2. In-depth research and trends analyzed from 50+ different concepts as code-https://www.jedi.be/blog/2022/02/23/t...•DevSecOps as code explosion•Data as code •Capturing knowledge as code3. Security Journey Provides Free Application Security Training Environment for OWASP® Members-https://www.securityjourney.com/post/...Security Journey’s OWASP dojo will be open and available to all OWASP members starting April 1st. Members can access it in their member portal.4. GitHub - 99designs/aws-vault: A vault for securely storing and accessing AWS credentials in development environments-https://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environment.5. Avoiding the top Nginx configuration mistakes (nginx.com)-https://www.nginx.com/blog/avoiding-t...This blog takes a deep look at the 10 of the most common errors, sometimes even committed by NGINX engineers. The article will explain what are the 10 most common mistakes and how to fix them.

1. Is it safe to use SECRETS_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED?- https://datasociety.net/wp-content/up...This first story is a react development issue. A developer was asking if a specific property was safe to use. This shows the importance of naming in understanding the security risks when using specific properties. 2. Adam Shostack -- Fast, cheap, and good threat models-https://www.securityjourney.com/podca...Adam is very well known in the world of threat modeling as a thought leader. This is his take on some new approaches he wants everyone in the industry to understand.3. SHA-256 explained step-by-step visually- https://sha256algorithm.com/This is a website that will describe how SHA-256 works. Hashing algorithms are a critical part of how we protect information whether it is at rest or in transit. This is a fascinating way to go through the steps and understand how they work. 4. Over 28,000 Vulnerabilities Disclosed in 2021: Report- https://sha256algorithm.com/This article is describing a report published by Risk Based Security highlighting the 28,000 vulnerabilities that were disclosed in 2021. It shows that not much has changed since 2020, but check it out to see all the details. 5. Known exploited vulnerabilities catalog- https://www.cisa.gov/known-exploited-...This is the Know Exploited Vulnerabilities Catalog from CISA. There was a pointer in the previous story to the site as a resource to search and stay up to date on different exploitable vulnerabilities and their remediations.

Bounty EverythingThis ebook has in-depth explanations of how bug bounties work, how the economy works within the bug bounty, and how the researchers are paid and treated.Understanding Website SQL InjectionsA high-level deep dive into SQL injection, so even those that have no understanding of what an injection attack is can learn how they work.Mazin Ahmed -- Terraform SecurityTerraform is all the rage in the infrastructurous code world. Mazin walks through all things you need to understand about terraform, the security challenges and where to learn more in this episode of the Application Security Podcast. 10 real-world stories of how we've compromised CI/CD pipelineWe all have CI/CD pipelines that we are using in a DevOps world to build our production software; those pipelines have vulnerabilities. Check out these real-world examples to become more educated about the security issues you need to care about. Cryptocurrencies: Tracing the evolution of criminal financesThis Intelligence Notification provides an overview of the illicit use of cryptocurrencies, including those services that facilitate their illicit use, illustrating relevant modi opzerandi using case examples.

5% of 666 Python repos had comma typos (including Tensorflow, PyTorch, Sentry, and V8)​Out of a group of GitHub repositories that had been checked, 5% had a comma problem. Either too few or too many commas somewhere in the library. Advanced SQL Injection Cheatsheet​ This repository contains an advanced methodology of all types of SQL Injection.​ MySQL, PostgreSQL, Oracle, and MSSQL​10 Threats ebookRead about the eBook on 10 Greatest Threats to Your Application’s Security 2021 version. Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps ​The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents. How I Discovered Thousands of Open Databases on AWS​My journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more.

1.Fuzzing for XSS via nested parsers condition-https://swarm.ptsecurity.com/fuzzing-...In this article web application security researcher, Igor Sak-Sakovskiy reveals a novel technique for finding sanitization issues that could lead to XSS attacks. 2.Anti-Patterns in Cybersecurity Management-https://systemweakness.com/anti-patte...In this article, this author walks through the most memorable anti-patterns he's seen recurring in cybersecurity management. 3.OWASP Top 10 Peer Review-http://www.securityjourney.com/podcas...Robert and Chris break down the OWASP Top 10 2021 Peer Review Edition in this episode of the Application Security Podcast. They walk through and give their insights, highlight the things that stood out and ask questions. 4.My first impressions of web3 - https://moxie.org/2022/01/07/web3-fir...Security researcher and entrepreneur, Moxie Marlinspike recently explored web3. He shares what he's learned about how web3 works from the inside out. 5.How a routine gem update ended up creating $73k worth of subscriptions- https://serpapi.com/blog/how-a-routin...This is the story of how a company attempted to deploy what looked like an innocent gem update but ended up costing them $73k. In less than an hour, 474 new subscribers had been mistakenly added to their service.

ZAPping the OWASP Top 10This document gives an overview of the automation and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2021 risks. AWS Is the Internet's Biggest Single Point of FailureIn December, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League of Legends, Ring security cameras, as well as Amazon products and delivery infrastructure. The outage only lasted a few hours, but it showed the world just how much the internet depends on Amazon's infrastructure.  Eran Kinsbruner -- DevSecOps Continuous TrainingEran joins the Application Security Podcast to talk about the role of testing in a secure software pipeline. They talk about the intersection of security and quality, challenges in getting started, and even a brief conversation about how SAST is used to check automotive software. Find the root cause of your productivity problem with the "5 Whys" techniqueThe 5 Whys technique was developed in the 1930s by Sakichi Toyoda, the founder of the automotive manufacturer Toyota Industries. The idea is simple: ask "why" 5 times, until you get to the root cause of your issue. It's not dissimilar to a kid who exasperates their parents by continually creating "why"... but the benefits can be transformative!Why I'm Using HTTP Basic Auth in 2022Building an entire login system from scratch can be a significant investment and creates a major barrier to entry.  It's prevented me from building useful tools because they would require a login.

Exploring Container Security: A Storage Vulnerability Deep Dive - https://security.googleblog.com/2021/...Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host file system outside the boundaries of the mounted volume. Remember, vulnerabilities can exist deep within the internals of Kubernetes.Really Stupid “Smart Contract” Bug Let Hackers Steal $31 Million In Digital Coin - https://arstechnica.com/information-t...An accounting error built into the company's software let an attacker inflate the MONO tokens price and then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol. Thinking back, Looking forward – A Balanced Approach to Securing our Software Future - https://www.buzzsprout.com/1730684/88...Keven Greene is the Director of Security Solutions at Parasoft and has extensive experience and expertise in software security, cyber research and development, and DevOps. He and Chris discussed software security from the past into the future. They cover how to make security easier for devs, SBOM, software minimalism, and so much more in this episode of the Application Security Podcast.Security Metrics that Count - https://www.twilio.com/blog/security-...Metrics can be challenging. Twilio uses security metrics to drive change within their organization, celebrate improvements over time to help better protect their customers, and measure their security program. Playbook for Threat Modeling Medical Devices - https://www.mitre.org/publications/te...The "Playbook for Threat Modeling Medical Devices" was developed further to increase knowledge of threat modeling throughout the medical device ecosystem and strengthen the cybersecurity and safety of medical devices.

How to Learn Stuff Quickly: https://www.joshwcomeau.com/blog/how-...Learning how to learn is a crucial skill of the security professional and developerNever Update Anything: https://blog.kronis.dev/articles/neve..."In my eyes, it could be pretty nice to have a framework version that's supported for 10-20 years and is so stable that it can be used with little to no changes for the entire expected lifetime of a system."Bridges fall down due to insecure design - make sure your web applications don't: https://www.securityjourney.com/post/...This principle also applies to web applications, which is why the new #4 on the OWASP Top 10 2021 list is Insecure Design. ​Pin exact dependency versions: https://betterdev.blog/pin-exact-depe...Use a dependency manager that creates a lock file and commits it to the repository. Even then, pin your dependencies - explicitly specify their exact versions.Financial services need to prioritize API security to protect their customers: https://www.helpnetsecurity.com/2021/...Given this growing trend, Knight focused her vulnerability research on the financial services and FinTech companies and was able to access 55 banks through their API's, giving her the ability to change customers' PIN codes and move money in and out of customers accounts.

Protect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks.Trojan Source Attacks - https://trojansource.codes/Some vulnerabilities are invisible - rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. An Opinionated Guide on How to Reverse Engineer Software, Part 1 - https://margin.re/media/an-opinionated-guide-on-how-to-reverse-engineer-software-part-1.aspx"This is an opinionated guide. After 12 years of reverse engineering professionally, I have developed strong beliefs on how to get good at RE."​AppSec Things to Watch in 2022 - https://www.securityjourney.com/post/appsec-things-to-watch-in-2022It’s that time of the year again when everyone under the sun comes up with predictions. We’re not fans of predictions, so instead, we give you Security Journey’s Application Security Things to Watch in 2022.AWS WAF's Dangerous Defaults - https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/Any malicious payload that starts after the 8KB limit in a POST request will completely bypass your WAF unless you've explicitly added a rule to block any POST request greater than 8KB in size. Even the simplest SQL injection, the legendary '1=1' can fly right by.

GitLab analysis of OWASP Top 10 changes from 2004 to 2021-https://public.flourish.studio/visual...Visualization of how OWASP Top Ten has changed over the years. To Learn a New Language, Read Its Standard Library-http://patshaughnessy.net/2021/10/23/...The best way to learn a new programming language, just like human language, is from example. To learn how to write code you first need to read someone else's code. Making sense of OWASP A08:2021 - Software & Data Integrity Failures-https://www.securityjourney.com/post/...We should expect this category to rise higher within a few years. Supply chain poisoning is difficult to detect and prevent. Our countermeasures are, arguably, in infancy. ​GitHub - xntrik/hcltm: Documenting your Threat Models with HCL-https://github.com/xntrik/hcltmHcltm aims to provide a DevOps-first approach to documenting a system threat model by focusing on the following goals: Simple text-file format, simple cli-driven user experience, and integration into version control systems (VCS). This repository is the home of the hcltm cli software. The hcltm spec is based on HCL2, HashiCorp's COnfiguration Language, which aims to be. "pleasant to read and write for humans, and a JSON-based variant that is easier for machines to generate and parse". Combining the hcltm cli software and the hcltm spec allows practitioners to define a system threat model in HCL. All Things SSRF-https://github.com/jdonsec/AllThingsSSRFThis is a collection of writeups, cheat sheets, videos, related to SSRF in one single location.

Minimum Viable Secure ProductMinimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. How to Secure Python Web App Using BanditBandit is a tool developed to locate and correct security problems in Python code. To do that Bandit analyzes every file, builds an AST from it, and runs suitable plugins to the AST nodes. Once Bandit has completed scanning all of the documents, it generates a report. Explain Sigstore to me like I am fiveSigstore provides an easier way to seamlessly issue and validate signatures from constituent dependencies, including base images, all the way to the final deployed application artifact. ​Threat Matrix for CI/CD PipelineThis is an ATT&CK-like matrix focus on CI/CD Pipeline specific risk.  Malware Found in NPM Package with Millions of Weekly DownloadsA massively popular JavaScript library, UAParser.is (npm package), was modified with malicious code that downloaded and installed a password stealer and cryptocurrency miner on systems where compromised versions were used.SHOW LESS

Commonjoe/ WrongSecrets - https://github.com/commjoen/wrongsecretsImproper secret storage is a common technology problem. Use this tool to expose your developers to how to do it wrong, so they can learn how to do it rightList of IT Assets an Attacker is most likely to Extort -https://www.helpnetsecurity.com/2021/10/13/it-assets-target/Attackers love IT assets; here are the top things they are targeting and exploiting.OWASP Top 10 2021: 7 action items for app sec teams https://www.securityjourney.com/post/owasp-top-10-2021-7-action-items-for-app-sec-teamsYour AppSec team has work to do with the new OWASP Top Ten for 2021.How to win at CORS - https://jakearchibald.com/2021/corsCORS is tough to implement correctly and develop against – but it is worth the effort. Security is often difficult.7 Unconventional Pieces of Password Wisdom -https://www.darkreading.com/application-security/7-unconventional-pieces-of-password-wisdom Nice summary of NIST 800-63b.

How Yahoo Built a Culture of Cybersecurity- https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurityCommentary: Security culture continues to grow as a non-negotiable piece of a security strategy.​ minimaxir/big-list-of-naughty-strings​ – https://github.com/minimaxir/big-list-of-naughty-stringsCommentary: Safe list input validation is always our go to, but the big list of naughty strings is a nice input for testing!Have Trusted Types API built directly into the jQuery Core Files · Issue #4409 jquery/jquer-  https://github.com/jquery/jquery/issues/4409Commentary: jQuery is still widely in use across the web, and adopting trusted types is a strong security step forward.​Making sense of OWASP A08:2021 – Software & Data Integrity Failures​- Encryption is easy, key management is hard - https://www.securityjourney.com/post/making-sense-of-owasp-a08-2021-software-data-integrity-failures​Commentary: Software and data integrity failures are the root cause of many supply chain debacles in the past few y Apache Servers Actively Exploited in the Wild, and the Importance of Prompt Patching - https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching​Commentary: We often think of patching as a security problem that has been solved – patching is always challenging!​

1. NIST Brings Threat Modeling into the SpotlightIf you haven't heard about the NIST Executive Order about software security and supply chain, you've been living under a rock. Adam gives us the threat modeling perspective on the EO2. How to ensure the highest quality of Software codeSecurity or development, we all want the highest quality of software code. Explore linting, unit testing, SAST, and continuous monitoring of software.3.  A cloud company asked security researchers to look over its systems. Here's what they foundEverything is broken, and everything is breakable – don't let anyone lead you to a different conclusion. The cloud is someone else's computer.​4. Masscan: TCP port scanner, scanning entire Internet in under 5 minutes Masscan is a TCP port scanner that can scan the entire Internet in under five minutes. The entire Internet!5. Why is Server-Side Request Forgery #10 in OWASP Top 10 2021SSRF cracked the OWASP Top 10 for 2021. Learn it. Live it. Know it.

1.  Application security tools ineffective against new and growing threatsOutdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern.2. HTTP/2: The Sequel is Always WorseAttackers are learning HTTP/2. Developers and defenders must learn it as well.3. AppSec Village Live Stream of DefCON 29Check out AppSec Village as it is the perfect place to connect with those with related interests.4. Mark Loveless -- Threat modeling in a DevSecOps environmentWe discuss his philosophical approach, framework choice (spoiler alert, it's a pared-down version of PASTA), and success stories / best practices he's seen for threat modeling success.5. Do you like to read? I can take over your Kindle with an e-bookAn attacker could delete e-books, potentially gain full access to an Amazon account, converted a Kindle to a bot, attacked other devices in the local network, and more.

1.  Empty npm package '-' has over 700,000 downloads — here's whyThere have been 720,000 downloads since its publication on the npm registry since early 2020.2. Privacy – more than the icing on the cakeQuestions to consider: What are we working on? What can go wrong? and more. Give this a read to gain more context.3. Jeroen Willemsen -- Security automation with ci/cdJeroen joins us to unpack security automation in a DevOps world.​4. Why cybersecurity pros need to learn how to codeLearn to code to level up your breaking skills; it is easier to find issues when you understand the underlying construction of the things you break.5. Supply chain attacks are getting worse, and you are not ready for themManage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components.​​

1. 16 of 30 Google results contain SQL injection vulnerabilities The dreadful quality of most of Google's search results. Several of these results were, simply put, SEO-optimized baloney.2. A case against security nihilismSkepticism that we can guard against the NSO Group's Pegasus spyware, or similar products.3. Why the password isn't dead quite yetIt will take time and more experimentation to create a passwordless ecosystem that can replace all the functionality of passwords, especially one that doesn't leave behind the billions of people who don't own a smartphone or multiple devices.4. Thinking back, Looking forward - A Balanced Approach to Securing our Software FutureWe cover how to make security easier for developers, SBOM, software minimalism, cyber resiliency, and so much more!5. 2021 CWE Top 25 Most Dangerous Software WeaknessesThe 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.

1.  Jeevan Singh -- Threat modeling based in democracyJeevan joins us to speak about self-serve threat modeling at Segment or threat modeling based in democracy. 2. joswha/Secure-Coding-HandbookClient side, Server Side, Auxiliary.3. Security headers quick referenceSecurity headers recommended for all websites, websites that handle sensitive user data, and websites with advanced capabilities.4. Cyber insurance isn't helping with cybersecurity, and it might be making the ransomware crisis worse, say researchersThe paper suggests that insurance should require 'minimum ransomware controls' as part of any ransomware coverage.5. Microsoft Refining Third-Party Driver Vetting Processes After Signing Malicious RootkitIf you sign something malicious, you allow it to bypass all your other security controls.