Category: Software security

hack_img6

Cross Site Request Forgery (CSRF)

Defending Against Cross Site Request Forgery   Cross–Site Request Forgery, or CSRF, sometimes pronounced “Sea Surf,” is an alarmingly simple way to perform unauthorized actions on a website. The trick is this: The user is logged into a restricted site or otherwise has authorization to use it. A URL from a hostile site asks the restricted one to take some… Read more →

Secure Rest Api services

Bad guys love REST

Many applications provide a services layer (to other applications, to a presentation layer…) or consume services exposed by third-parties (not necessarily trusted). REST model is a simple way for designing such service layers, widely used today. This post is about REST security issues and presents the main security problems that need attention, the attack threats and attack surface for REST,… Read more →

OWASP Top 10

OWASP Top 10: how to discover vulnerabilities in your Java applications

In this article you will learn which are the top 10 security issues in web applications (called OWASP TOP 10). For each vulnerability you will get how to know if your code is protected against it and how to analyze it automatically.   What’s OWASP Top 10? OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire,… Read more →

sin-titulo

OWASP Top 10: how to discover vulnerabilities in your C# applications

In this article, you will learn which are the top 10 security issues in web applications (called OWASP TOP 10). For each vulnerability you will get how to know if your code is protected against it and how to analyze it automatically. This post is the second part of another post about discovering vulnerabilities in a Java application. How can I… Read more →

Sap vulnerability detection Abap code quality

SAP Code Quality & Security Vulnerabilities detection

ABAP applications programming -most of which are large customized systems- adds to the challenge of managing these large development projects, to ensure that the resulting code has the necessary quality and security, in order to avoid problems once in production, or excessive maintenance costs. The lack of verification or manual verification of the quality and security of these large systems… Read more →

technical-debt-banner2_0

CIOs vs Technical Debt: A burden for innovation

Technical debt is a euphemism referring to the risk in production and potential rework assumed in software development. Due to rush and other factors, a lack of quality in deployed software developments is allowed. It is normal that resources or quality are limited in every product, but in the business world and in any professional field, the debt must be… Read more →

ghostshellcredsymantec

Security in business-oriented languages: ABAP

The ERP world: SAP and ABAP Let’s talk about SAP and its common high-level business language, ABAP. The attack surface for SAP systems is wide, with web-facing options like ITS, BSP, Web Dynpro, Fiori… Dynamic ABAP code, remote function calls (RFC) and many other features open to new attack points. In ABAP, OpenSQL is the common way for executing SQL… Read more →

ef3cb10a28f71c3e81584d04ee44408be273e7d31ab1194892f4_1280_security

Security in business-oriented languages: COBOL and RPG

Security in software written in business languages (like COBOL) follows a quite different path from software security in “modern” languages. Information flow issues are as much relevant than technical flaws. Knowledge and awareness in dev teams are not widespread. In this post we focus on the security flaws that happen in different business-oriented programming languages, how things could go wrong even with… Read more →