Hi everyone, Last week I posted the first part of my security code review checklist which will help you review source code for input and output validation issues. I was happy to see how many people liked the first checklist items post and I always appreciate any feedback you have! This week I will be covering the checklist items for the Authentication and Authorisation secure development principles. The checklist items based on the content of … Read more >

Hi everyone, A question I often get asked about manual security code reviews (manual source code review) is how can a manual review process be clear, consistent and repeatable? I’m going to share some of the things I do to try and make sure security code reviews aren’t seen as a black box process filled with security professionals practicing some kind of ninja skills on the source code. To help me with security code reviews … Read more >

Hi everyone, In the first two blog posts in this series we explored how we can implement Input and Output Validation using the OWASP ESAPI. We saw that every time a validation exception was encountered the ESAPI would throw something like an EncodingException, ValidationException or IntrusionException which returns a sanitised error message for us. We are going to cover Error Handling using the ESAPI in this blog post which will explain how the ESAPI exception … Read more >

Hi everyone, I wanted to cover something a bit different in this weeks blog post, specifically I decided to explain an injection based attack that isn’t SQL Injection! The huge amount of press and attention SQL Injection vulnerabilities quite rightly receive often means that other injection based attacks are either unheard of or underestimated. So I decided to give another Injection based attack its 15 minutes of fame today! I’m going to cover XPath Injection … Read more >