API Security 101: Lack of Resources & Rate Limiting

API Security 101: Lack of Resources & Rate Limiting

Data, data, everywhere. How the lack of rate limiting contributes to severe security issues.Photo by Ludovic Charlet on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API ... Read More
API Security 101: Excessive Data Exposure

API Security 101: Excessive Data Exposure

Hey, I found your access tokens on your profile page.Photo by Rachel LaBuda on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten. The current ... Read More
API Security 101: Broken User Authentication

API Security 101: Broken User Authentication

How attackers hack API authentication. Are you who you say you are?Photo by Markus Spiske on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten ... Read More
API Security 101: Broken Object Level Authorization

API Security 101: Broken Object Level Authorization

An API Objects Free-For-AllPhoto by CHUTTERSNAP on UnsplashI got really into studying API security recently. While working on the first draft of my book, my technical editor, Aaron Guzman, pointed out that my book on web security needed an API chapter to be complete.And he has a great point. As modern ... Read More
Why Your Code Is A Graph

Why Your Code Is A Graph

Graph structures and how they are used in security code analysisGraphs structures are a natural representation of many kinds of data. They are a good way to represent relationships between objects, such as the relationship between users on social media sites, and the distance between different locations.Today, let’s explore graphs and ... Read More
AppSec Conference: Shifting Left 2.0

AppSec Conference: Shifting Left 2.0

Sessions to watch for developers and hackersPhoto by Austin Distel on UnsplashHere at ShiftLeft, we are gearing up for Shifting Left 2.0, a two-day application security conference for developers and security practitioners on June 22–23, 2021. It has something security-related for everyone: dev team leaders, application security folks, and the developers who ... Read More
Secure Developer Challenge May 2021

Secure Developer Challenge May 2021

Thanks to everyone who submitted to the Secure Developer Challenge for May 2021!For this month’s challenge (https://go.shiftleft.io/developer-challenge-05-2021), we asked you to identify which of these statements about HTTP security headers are false:The correct answer is that options C and F are incorrect. Did you get it right?X-XSS-Protection turns on the XSS auditor of ... Read More
Closing the Developer Security Skills Gap

Closing the Developer Security Skills Gap

Photo by Alex Radelich on UnsplashHow to help devs write code, learn security, and fight attackersSecuring software is friggin complicated.Supply chain attacks, the OWASP top ten, ransomware, insider attacks, and plain old typos. As software development becomes increasingly fast-paced, the potential threats that can compromise security don’t stop. If anything, the ... Read More
Beating the OWASP Benchmark

Beating the OWASP Benchmark

Achieving a best-in-class OWASP Benchmark score with data and information flowsThis post is an update to a previous research post authored by ShiftLeft’s Chief Scientist, Fabian Yamaguchi (https://blog.shiftleft.io/beating-the-owasp-benchmark-24a7b1601031). In the last article, he evaluated ShiftLeft’s static analysis tool against the OWASP Benchmark. ShiftLeft’s tool achieved a true-positive rate of 100% ... Read More
Beating the OWASP Benchmark

Beating the OWASP Benchmark

This post is an update to a previous research post authored by ShiftLeft’s Chief Scientist, Fabian Yamaguchi (https://blog.shiftleft.io/beating-the-owasp-benchmark-24a7b1601031). In the last article, he evaluated ShiftLeft’s static analysis tool against the OWASP Benchmark. ShiftLeft’s tool achieved a true-positive rate of 100% and a false-positive rate of 25%, making it the best-in-class ... Read More
Loading...