There’s an oft quoted saying that those who forget the past are doomed to repeat it. The history of the web is full of new technologies, attacks against those technologies, and more technologies to defend against those attacks. From the beginning, there has been an arms race between attackers and defenders and if we forget the first battles of this race, we risk undoing the progress we, as a community, have made. So let’s speed run this arms race, broken down by attack methods, to remind ourselves why some old school defense technologies are still a good idea. This series of articles will focus on a core building block of the web, the session, and the set of defenses available to fight for the user.
Read more: Browser Session Defenses – Everything Old is New Again (Part 1)
Recommended Defenses:
|
Recommended Defenses:
|
The software development industry has widely adopted the mantra of “shifting left” with security or in other words, moving security activities earlier in the development lifecycle. While developers, architects, and other team members are generally supportive of this theory, they sometimes lack the skills needed to effectively implement it. Training can fill much of the gap and is usually necessary, but organizations find that both live and computer-based training produces a spike in security activities, but that the activity quickly drops off as participants get pulled back to their old routines by the legitimate demands of the business..
Meristem believes that one powerful tool to shift the security culture within a development organization is to provide a regular cadence of security activities that stimulate developer’s interests. Naturally, these activities must be small and constructed so that they can work into small gaps in a developer’s day to avoid significantly disrupting their regular schedule.
No security assessment can hope to find every vulnerability. The time scoped by Meristem for each assessment is intended to find the majority of vulnerabilities, including those likely to be found by a skilled attacker. Still, the more efficient the testers can be, the more attack surface they can cover, and ultimately, the more secure your application will be. Meristem is always looking for ways to optimize our process, but there are steps that you can take to ensure that the majority of your assessment time is spent testing which will maximize your return on investment.
Read more: Getting the Most Out of Your Application Penetration Test
Mark Hoopes (of Meristem InfoSec) and Heidi Hoopes presented a workshop at RailsConf: 2022 titled "Gaps in the Magic - Exploiting Security Edge Cases in Rails." This class introduced the fundamental concepts of two key vulnerability classes from the OWASP Top 10, SQL injection and Unsafe Deserialization (or unmarshalling in Ruby parlance). It included practice environments where the students could exploit real-world applications (or a replica) to solidify their understanding and enable them to more effectively communicate the risks associated with these vulnerabilities.