@JohnNKing @rocsecsummit Thank you @JohnNKing and all the other @rocsecsummit organizers that worked to put on such a great conference! It was a genuine pleasure to be able visit and share my security journey with everyone at #RSS2018
I'm very excited to be leading a Web Application Security workshop @BSidesROC on 4/13. If you're interested, please register today. Tickets are going fast!
tl;dr if your app runs a local server it needs to validate the Host header of incoming HTTP requests. Tavis is opening issues for apps where this causes RCE but there’s probably tons more where this will cause privacy leaks https://t.co/qcbaL7x4vT
Static and dynamic analysis tools will help find some types of application security vulnerabilities. But don’t make the mistake of assuming that “some” is good enough.
Good application security hinges on developers. In fact, they have to lead it. Otherwise, you’ll be forever creating vulnerabilities faster than they can be fixed.
Your people are the mind and soul of your security efforts. They provide the foundation and the essentials upon which the success of all security endeavors will surely depend.
Achieving better application security is forever a work in progress. Much like improving one’s self in life - it is something always worked toward and never done. When considering security - look to your developers and culture before you look to products and tools.