Security research, news and guidance

Yearly Archives: 2009

A checklist approach to security code reviews, part 2

December 18, 2009  |  Written by Security Ninja  |   Application Security   |   8 Comments

Hi everyone, Last week I posted the first part of my security code review checklist which will help you review source code for input and output validation issues. I was happy to see how many people liked the first checklist items post and I always appreciate any feedback you have! This week I will be covering the checklist items for the Authentication and Authorisation secure development principles. The checklist items based on the content of … Read more >

A checklist approach to security code reviews

December 10, 2009  |  Written by Security Ninja  |   Application Security   |   16 Comments

Hi everyone, A question I often get asked about manual security code reviews (manual source code review) is how can a manual review process be clear, consistent and repeatable? I’m going to share some of the things I do to try and make sure security code reviews aren’t seen as a black box process filled with security professionals practicing some kind of ninja skills on the source code. To help me with security code reviews … Read more >

Error Handling using the OWASP ESAPI

December 2, 2009  |  Written by Security Ninja  |   Application Security   |   Leave a comment

Hi everyone, In the first two blog posts in this series we explored how we can implement Input and Output Validation using the OWASP ESAPI. We saw that every time a validation exception was encountered the ESAPI would throw something like an EncodingException, ValidationException or IntrusionException which returns a sanitised error message for us. We are going to cover Error Handling using the ESAPI in this blog post which will explain how the ESAPI exception … Read more >

Injection attacks, its not just SQL!

November 27, 2009  |  Written by Security Ninja  |   Application Security   |   6 Comments

Hi everyone, I wanted to cover something a bit different in this weeks blog post, specifically I decided to explain an injection based attack that isn’t SQL Injection! The huge amount of press and attention SQL Injection vulnerabilities quite rightly receive often means that other injection based attacks are either unheard of or underestimated. So I decided to give another Injection based attack its 15 minutes of fame today! I’m going to cover XPath Injection … Read more >


Look at our latest security Videos & SlideShares


Upcoming Security Events & Seminars


Check out our Podcasts & White Papers