DevOpsDC: Developing a Continuous Delivery Tool Chain from the Bottom Up

Last week I was able to talk about some of my DevOps experiences at the March 2015 DevOpsDC Meetup. I told the story about how we took a project that was just starting Agile and was deploying a risky release to production every 6 months or so, and over 4+ years brought it to deploying […]

Read more
From Naivety to Negligence

I understand the plight of senior executives, I really do.  Most don’t have a software background and that makes it difficult for them to fully understand application security.  But when security breeches are caused by basic, simple code vulnerabilities that can be found using readily available tools, it makes me wonder how serious businesses even […]

Read more
What Not To Do With Password Management

As one of our resident security guys, I thought I might write up a quick guide about what not to do with password management.  As long as you build a website or web service, at some point you’re most likely going to have to store a password.  Unfortunately for many developers out there (in organizations […]

Read more
Apache Server Errors

So I run a server at home hosting several sites, including a few personal sandboxes for development. I went to check one of sites, and noticed it was taking an incredibly long time to load. When I logged into the machine, I got the dreaded Usage of /: 99.9% of 27.50GB disk space error. Now, […]

Read more
How to display a logon/disclaimer notice banner in SharePoint by customizing the Global.asax and deploy the global.asax file using the Sharepoint WSP.

  I was working on a SharePoint DoD project, due to security requriements(STIG) it needed to display a disclaimer notice banner when a user initiates a session with the SharePoint Site. This solution tells how to customize and deploy the SharePoint Global.asax that triggers the new session start event to display the disclaimer notice banner. This solution was split into two SharePoint […]

Read more
Security Testing: OWASP ZAP (Zed Attack Proxy)

As part of my ongoing collection of reviews and thoughts on today’s Security Testing Tools, I’m taking a look at the Zed Attack Proxy (ZAP) by OWASP.  While, my last review of WebSecurify, looked at a very simplistic tool for Web Application Security Testing, this review will bring us a slightly more complex tool.   So where […]

Read more
Integrating CAT.NET into Hudson for Continuous Security Analysis

I recently published an article about using CAT.NET security scanner on your .NET web application. Once you get it running, it’s fairly simple to integrate it into your continuous integration process. Our strategy here will be to use a down-stream job in Hudson to run static security analysis on our application build after the main compilation/packaging […]

Read more
Security Testing: Web Application Fuzz Testing

Fuzz testing or Fuzzing, a technique originated in 1988 by Professor Barton Miller at the University of Wisconsin, is a software testing technique where invalid, unexpected, and or random data is input into the system at various levels in an effort to uncover unexpected system behaviors and system failures including system crashes, failing code assertions, […]

Read more
Security Testing: Web Application Testing with WebSecurify

One of the biggest trends in issues in web application testing today is Security Testing.  Most people know their web application is important for their business; no one wants a big security breach. With hackers becoming more and more sophisticated, and vulnerabilities becoming easier and easier to exploit the odds are not in your favor. […]

Read more
X