POPULARITY
James Jardine is the CEO of Jardine Software and a former SANS Institute author and instructor. James possesses over 15 years of development and application security experience. Full Show Notes: https://wiki.securityweekly.com/SSWEpisode46 Visit http://securityweekly.com/category/ssw/ for all the latest episodes!
James Jardine of Jardine Software joins us. In the news, the hells of being a founder, killing projects before they kill you, intellectual property 101, and updates from Auth0, Upstream, Palo Alto Networks, Symantec, and more! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode46Visit https://www.securityweekly.com for all the latest episodes!
James Jardine of Jardine Software joins us. In the news, the hells of being a founder, killing projects before they kill you, intellectual property 101, and updates from Auth0, Upstream, Palo Alto Networks, Symantec, and more! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode46Visit https://www.securityweekly.com for all the latest episodes!
James Jardine is the CEO of Jardine Software and a former SANS Institute author and instructor. James possesses over 15 years of development and application security experience. Full Show Notes: https://wiki.securityweekly.com/SSWEpisode46 Visit http://securityweekly.com/category/ssw/ for all the latest episodes!
It was recently reported that an audio driver on HP systems was logging key strokes to a local file. Accidental? Malicious? Instead, we talk about how to try and avoid this from happening in the future. Original Article: https://www.cnet.com/news/keylogger-discovered-on-some-hp-laptops-conexant/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help. Check out our 30 day advantage.
I sat down with Vittorio Bertocci from Microsoft at the Microsoft Build 2017 conference in Seattle Washington. Vittorio shared some great insights into Identity and some new things around Azure AD and Azure AD B2C. Listen in to learn more about some of the interesting things going on. You can watch Vittorio's presentation from build at: https://channel9.msdn.com/Events/Build/2017/B8084 To get more information from Vittorio, you can follow him on twitter at @vibronet or check out his website at www.cloudidentity.com Also, check out this announcement about new authentication SDKs: https://azure.microsoft.com/en-us/blog/start-writing-applications-today-with-the-new-microsoft-authentication-sdks/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact ustoday to see how we can help. Check out our 30 day advantage.
Over the years I have had many people ask about encoding before storing data in the database. Here are my thoughts and recommendations. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you use hosted content on a CDN? How do you know the file hasn't been modified? James describes Sub Resource Integrity and how it is used to help detect and prevent loading modified files. For details referenced in the show about commands and examples, check out our post at https://www.developsec.com/2017/04/16/sub-resource-integrity-sri/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you struggle with trying to pick the most secure application platform? Are you focusing on the right questions? James talks about ways to look at application platforms and be secure, no matter which one you choose. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email james@jardinesoftware for an invitation. Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you allow users to login into their accounts across multiple browsers or devices? Does this raise a security concern? James talks about how to handle this question and analyze the root issue. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
I am sure you have heard about the AWS service disruption that occurred. Have you seen how we can learn from this when we look at our own tools and processes? James talks about how we need to look at our own applications and tools and consider how time has changed the landscape. There might be more than you think. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
I hear a lot of people struggling with HTTPOnly and Secure attributes on cookies. The names may be confusing to some. Change your viewpoint and it may become easier.. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
We always talk about Forgot Password... But what about Forgot Username? Listen in as James discusses why protecting this functionality is important and the ways it could be abused if not properly handled. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
In this episode, James talks about security questions, or secret questions. We see them used in many different places. People complain they are horrible. So are they that bad that you shouldn't use them? Is it possible to help reduce the risk with security questions? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
A few months ago, it was announced that some companies buy stolen passwords off of the black market to help protect their users. This is done by determining if the user's password was part of that list and forcing a reset. James talks about the idea and raises some interesting questions. What do you think about the tactic? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Are you, or have you, implemented a remember me feature for your application? What do you remember, username, password, or both? James talks about some security considerations around implementing a remember me feature for your application. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you use MongoDB? If so, is it exposed to the internet? Recent news (listed below) had shown that a large number of MongoDB instances are being infected with ransomware. James talks about the issue and ways to help ensure you are not the next victim. Link to original article: http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/ For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Implementing multi-factor authentication isn't just about a second factor. There are many considerations that need to be included. One in particular, how do you handle the user losing their means of that second factor. James talks about thinking this through. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Yahoo has announced yet another breach from back in 2013 affecting a very large number of user accounts. https://investor.yahoo.net/ReleaseDetail.cfm?&ReleaseID=1004285 This creates an opportunity to discuss password storage and the storage of security answers. Find out what we can takeaway from this incident. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
It is the holiday season. It is appropriate to talk about cookies. Not the kind that you bake, but the ones in your applications. James talks about the security mechanisms for cookies and clarifies what they are for. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Have you heard someone mention "untrusted" data? Applications take data from multiple data sources and we are often confused on what should be trusted or not. In this episode, James Jardine talks about untrusted data and some thoughts for moving past it. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Are you an organization looking to do source code review? Are you trying to hire a pen tester with source code review as a duty? James talks about Secure Code Review and some common implementations. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you have a clear path for users to contact you about potential security issues in your application or device? Is there a potential for the communication to be lost in the mix? James talks about how it is important for users to have a clear path to communication when it comes to reporting security issues. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Having a penetration test performed against your applications? Do you have mobile and web applications performing the same functionality? James talks about the reason behind doing these assessments at the same time vs. separate. See why testing your entire offering can add benefit to your security assessment. Link to DerbyCon Presentation For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Your pen tester want you to white list them in your WAF? What should you do? Why do they ask? James breaks it down for you in this episode. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
We talk HTTP/HTTPS all the time. Google just announced that in January they are going to change how they display their secure/not secure indicators for HTTP sites that have passwords or credit cards. James talks about how this can effect you. Link to the article: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Are your login forms secure? Are you sure? In this episode James talks about potential risks with presenting your login forms when using HTTPS and how to avoid them. We often are focused on HTTPS for the submission of credentials, but what about the loading of the form? What about frames? For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
The user interface plays a big part in the security of an application. We often only look at flaws such as XSS, but here James provides an example of the lack of Input Validation messages creating a Denial of Service type situation. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
James discusses how all applications, big or small, are a potential target and need to have secure coding practices. We often only look at our big applications from a security perspective, but in reality, all applications pose a risk. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
In this episode, James talks about what Username Enumeration is, how it can be used by attackers, and some ways to help reduce the risk of it. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Interesting question was raised around changing a password and the need to invalidate all the access tokens for the associated mobile devices. James talks about his view on the topic and how you can analyze your situation to determine the appropriate direction. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Pokemon Go has taken the world by storm and as always, it brings up some things to talk about regarding security. In this episode James talks about some out of the box security thoughts regarding mobile applications including app permissions, fake apps, and scams. **Link to James' interview on News4Jax talking about Pokemon Go Security Concerns http://www.news4jax.com/news/morning-show/pokemon-go-security-concerns ** For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
A question came in regarding auto-unlock of accounts and account lockout in general. James discusses his thoughts on this process and how he approaches these types of questions. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
A question came in around the need for the password confirm box on registration screens and the security implications. In this episode I respond to the question and give some insights on how to approach these types of questions from a security perspective. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
We are too quick to just give generic recommendations for resolving security vulnerabilities. We need to make sure that the application teams understand why these are vulnerabilities and why they are important. It all starts with Why is that functionality there. James talks about the importance of understanding the WHY and how it is a building block for better secure applications. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
When a developer was presented with a but they tried to say that it wasn't an issue because it was found by a tester using a Mac. "We don't support Macs" James talks about how this is a fundamental misunderstanding about security and tries to clear it up. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
James reflects on the current way we expect application teams to get security training and potential short falls. Is there a better way? Listen as I talk through some different points on the topic. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
How do you get your secure coding information? Do you pull code snippets from the internet? Who doesn't. How many of those actually use secure coding best practices. We have a challenge where most of our books, tutorials, and even college classes don't show secure code examples, just code examples. Everywhere we turn, the code we see is insecure. James Talks about this issue and some things you can do to help change that. In the episode, James makes reference to the IT Hot Topics Conference (https://www.eiseverywhere.com/ehome/index.php?eventid=155122&). James will be presenting on Friday morning. If you are in the area, this may be a great conference to check out. See the link included for registration info. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Do you use an application inventory in your application security program? James discusses what an application inventory is and why it is important. Here is a list of a few tools that can be used to help identify some application details: Consider using OWASP Dependency Check (https://www.owasp.org/index.php/OWASP_Dependency_Check) Retire.js will help identify out dated javascript libraries (http://retirejs.github.io/retire.js/) - This is also a burp extension For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Check out our 30 day advantage.
Penetration tests provide a measuring stick for security, but are you missing out on additional value? James discusses ways to use the pen test results to get more value out of a penetration test. James will be providing a free webcast regarding Penetration Testing for Application Teams on March 18th, 2016. Here is the registration link: https://attendee.gototraining.com/r/3147075330537789954 For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.
James discusses what authentication is and some things to look out for. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.
In this episode, James Jardine talks about some of the things you need to consider when trying to implement a static analysis program. It is more than just a tool you drop in. To build a successful program there are other considerations. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.