I am delivering training courses on how to build effective processes around application security scanning tools as part of my work for Bounce Security. The course’s official name is “Building a High-Value AppSec Scanning Programme” and it’s unofficial, more fun but less descriptive name is “Tune your Toolbox for Velocity and Value”. This post will serve as a way of getting more information about the course.
Setting up an OWASP Juice Shop CTF
I recently used the very excellent OWASP Juice Shop application developed by the very excellent Björn Kimminich to run an internal Capture the Flag event (CTF) for my department. It went really well and got really good feedback so I thought I would jot down some practical notes on how I did it.
Reflections on attending and presenting at AppSec Israel 2017
For various reasons, this year was the first year I made it to OWASP AppSec Israel, the national Application Security conference here in Israel. Not only that but I was honoured to be accepted to present as well. It was a long day including a speakers/organisers dinner in the evening but as well as being tired I was also really buzzing with excitement and I thought I’d jot down a few notes about the day.
HPKP is pinning^W pining for the fjords – A lesson on security absolutism?
It looks like this standard will not go into widespread adoption but I think we can learn a lesson about InfoSec cost/benefit and the risks of expecting all security controls, everywhere.
The OWASP Top 10 — An update and a chance to have your say
If you care about AppSec, you have until 30th August to have your say on what new items should be in RC2 and until 18th September to provide additional data on vulnerabilities found.
WannaCry — Do you feel lucky?
Would MS17–010 have received enough attention without WannaCry?
OWASP Top 10 2017 — What should be there?
Having made my long term thoughts on the OWASP Top 10 process clear, I want to talk about the list as it stands at the moment and how I think it should be for 2017.