Sensitive data exposure is currently at number 3 in the OWASP Top 10 list of the most critical application security risks. In this blog post, we will describe common scenarios of incorrect sensitive data handling and suggest ways to protect sensitive data. We will illustrate our suggestions with code samples in C# that can be used in ASP.NET Core applications. OWASP lists passwords, credit card numbers, health records, personal information and business secrets as sensitive data.

It was the day before a holiday break, and everyone was excited to have a few days off to spend with friends and family. A skeleton crew was managing the security operations center, and it seemed as though every other team left early to beat the holiday traffic. Every team other than the vulnerability management (VM) team that is. Just before it was time to leave for the day, and the holiday break, the phone rang.

When it comes to application security (AppSec), it’s important to note that no one testing type can uncover every flaw. Each tool is designed with a different area of focus, along with various speeds and costs – so it’s necessary to employ a mix of testing types. A good way to think about AppSec testing types is to compare them to health exams. You wouldn’t have a cholesterol test and assume your annual physical was complete.

In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, lets look at the simplest Spring application that uses Thymeleaf as a templating engine.

In light of the current pandemic, most organizations will be working remotely for the foreseeable future. But the increase in virtual operations has led to a higher volume of cyberattacks. Now, more than ever, it’s vital that your organization is armed with the industry’s best application security (AppSec) solutions. But how do you build and secure technology in an uncertain world? It’s a balancing act between risk, trust, and opportunity.

My name is Seb and I’m an application security (AppSec) engineer, part of the Application Security Consultant (ASC) team here at Veracode. My role is to help remediate flaws at scale and at pace, and to help you get the most out of the Veracode toolset. With a background as an engineering lead, I’ve run AppSec initiatives for government and global retailers. I’ve found that successful AppSec is all about people.

Developer security training is more critical than ever, but data shows us that the industry isn’t taking it quite as seriously as it should. A recent ESG survey report, Modern Application Development Security, highlights the glaring gaps in effective developer security training.

Veracode recently sponsored Enterprise Strategy Group’s (ESG) survey of 378 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.

Veracode’s Chris Wysopal and Chris Eng recently joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security.

You work hard to produce quality applications on tight deadlines, and like every other development team out there, that often means relying on open source code to keep projects on track. Having access to plug-and-go code is invaluable when you’re racing the clock, but the accessibility of open source libraries comes with a caveat: increased risk.