Automated Rapid7 reports with python
This blog post describes how to collect information from a popular DAST platform, create a simple report and share it with development teams using a popular collaboration platform like Slack.
2022
Detect open source vulnerabilities in Gradle projects with Github actions
Software Composition Analysis (SCA) is the automated process of analyzing libraries and open source software with the aim of identifying publicly disclosed vulnerabilities, as well as license usage for compliance reasons.
Detect hardcoded secrets using Github actions
Production passwords, tokens, AWS credentials and other types of secrets should be kept confidential and away from preying eyes of hackers or malicious insiders. In simple terms, no one should know production passwords for databases, admin passwords, AWS credentials etc unless there are legitimate business reasons that mandate to do so. Therefore, keeping these secrets hard-coded in Github repositories must be strictly prohibited.
Experiences and lessons from holding a ISC2 CSSLP certification
(ISC)² is one of the biggest organizations in education and certifications tailored for cybersecurity professionals. Their Certified Software Security Lifecycle Professional, aka CSSLP is their certification for Application Security. According to (ISC)²:
It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization and auditing throughout the SDLC using best practices, policies and procedures established by the cybersecurity experts at (ISC)².
Github GraphQL for AppSec metrics
GraphQL is a powerful way of interacting with an API to fetch a data object containing all, or at least most information that you need. It resembles REST in the way it works, but it's more powerful and faster. Instead of using multiple requests to query the server for different pieces of data that need to be stitched together, GraphQL allows to fetch a single custom defined object with a single call.
Deploy Django to AWS Elastic Beanstalk
In this tutorial we will deploy our very own Django application to Amazon's Elastic Beanstalk, or else EBS. If you haven't head of AWS EBS yet go ahead and check this page. In a short summary EBS provides a fully managed environment to help you quickly deploy your web apps without working too much to get the underlying infrastructure in place. That's pretty cool!
Injecting javascript for profit: How to detect and stop skimmers
In 2019 British Airways was fined a remarkable £183 million for a data breach of its systems that affected more than 380.000 customers. Magecart, the hacking group behind the attack, specializes in credit card theft and British Airways have not been their only target. Ticketmaster, Forbes, Newegg and numerous online webshops have suffered security breaches by Magecart that share a common characteristic: a digital skimmer that steals customer credit card information without the victim’s knowledge.
Security? I develop an internal application!
More often that I wish, I need to talk about application security with people who are really sceptical about my role as an application security professional. They behave like it is a waste of time to talk security with me and they would rather go about their regular business. But the most usual and frustrating argument I get is that their application is intended for internal use only, or even worse "trusted parties identified by strong authentication" will be using it.