IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [appsec]

Application security - Specific to security concerns for an application that are independent from the underlying operating system, or surrounding infrastructure. Pertains to the design / architecture, source code, patching and maintenance cycle, or deployment and configuration of this software.

Application security refers to the security a specific application and could pertain to the design / architecture, source code, patching and maintenance cycle, or deployment and configuration of this software.

979 questions
6
votes
2 answers

Should I put a potentially insecure program online?

OK: a forward. I am not a security expert. I am one of four kids at a high school working on a project. I don't have any experience with real-life situations where security is a concern. I have a project that's for automated program grading.…
user26672
  • 61
  • 2
6
votes
4 answers

Does using GUIDs for IDs make IDs unpredictable?

Say I have a website that stores credit card information and on that site I have a page where users can edit/delete their credit card information. For the sake of the example lets say the HTML looks like this:
xxxx-xxxx-xxxx-1234
Abe Miessler
  • 8,195
  • 11
  • 49
  • 73
5
votes
3 answers

Examples of "Runtime application self-protection" (RASP) in action?

I'm having a hard time figuring out what "Runtime Application Self-Protection" (RASP) really is, though I see it mentioned in the press. The best description I've seen of the possible benefits, along with some limitations, is in this article Is…
nealmcb
  • 20,783
  • 6
  • 72
  • 117
3
votes
2 answers

Appsec Standards Organizations?

I'm a Java EE developer and I was wondering if anybody has had experience with the OWASP Project and could weigh-in as to how it measures up as a security standards organization. They have a huge website with multitudes of documents, sub-projects,…
zharvey
  • 951
  • 3
  • 10
  • 15
3
votes
1 answer

Is it safe to remove these groups from the Local Security Policy area?

I'm trying to edit a particular section inside the Local Security Policy snap in and I'm wondering if I really need to give all of these groups (I think they're groups) permissions. Based on this information I may remove the same groups from other…
Codezilla
  • 171
  • 1
  • 4
3
votes
2 answers

Security while connecting to a MySQL database using PDO

I looked at this question: What is the right way of storing database connection strings from the security point of view? And I'm wondering specifically for connecting to a MySQL database with PDO, how can I be more secure? I currently store my…
user1114
  • 145
  • 5
2
votes
0 answers

OWASP A9 - Maintain the latest security patch level for third party libraries and software

In wanting to produce secure code, a common requirement is to not use outdated libraries and frameworks in code bases (for example the OWASP A9 requirement). I understand the reason to do this, but it does not seem like there is an easy way to…
whoami
  • 394
  • 2
  • 14
2
votes
1 answer

Stack smashing protection, reordering variables

So few days ago I started reading a paper about bypassing SSP/ProPolice and after I read it all I tried the bypasses but they didn't work. This is the code I used: int f (char ** argv){ int pipa; // useless variable char *p; …
AnonITA
  • 21
  • 1
2
votes
1 answer

Web App Scans scans through the network firewall?

I have a scenario. I want to scan a web app which is placed in another DC behind a different firewall(not web application firewall). We can have open ports to reach the application. The tools generally used by testers is Acunetix, Appscan, burp and…
Sanchit Sharma
  • 331
  • 5
  • 9
2
votes
1 answer

Security implications of exposed Dropbox API key and secret

I've noticed that the Dropbox PHP SDK requires you to put your API credentials in a JSON file that might be publicly available if the SDK code is placed within the DOCUMENT_ROOT directory. What are the security implications if an attacker discovers…
s3v3n
  • 121
  • 3
1
vote
1 answer

Is it unsafe to parse user input without checking for correctness?

I currently have the problem in one of my self-written apps that the app receives user input (JSON) from another app, but I am not able to check if this input is good or malicious. I can't check this because I do not know what is in this data, i.e.…
arc_lupus
  • 209
  • 1
  • 10
1
vote
2 answers

Queues for Mobile Web Application Security Architecture?

Dear Security Mavens (of which I am not), Your thoughts & suggestions regarding an application architecture for a mobile web application (e.g., HTML5 with Sencha Touch) are invited & welcomed. To what degree would/does the use of queues (e.g.,…
user30209
1
vote
2 answers

Signed URL's as a security measure

Would implementing signed URL's be an effective security measure to prevent URL tampering and poisoning on public facing resources accessed via a GET request. e.g.…
Null
  • 187
  • 1
  • 11
1
vote
0 answers

Learning Desktop Application Security

I am familiar with web security but I would like to know more about non-web application security. I know about memory corruption vulnerabilities like buffer overflow and buffer overread and how serious they are. But how about Java/C# or similar…
Frixos Kallenos
  • 64
  • 4
1
vote
1 answer

Are user-provided translation strings an attack vector

Twitter and various other web companies allow users to help translate the user interface into their language. Crowdsourcing translations isn’t new for us. Since October, 2009, we’ve counted on Twitter users to volunteer as translators and help us…
Mike Samuel
  • 3,893
  • 19
  • 25
1
2