AppSec

Penetration Testing: Amateur Hour In this post, I am essentially going to fire up the OWASP Juice Shop (OJS) locally, navigate to the scoreboard to see the intended challenges, and then have a go at solving as many as I think I have a hope in heck of achieving. Given that I am not a penetration tester (in fact, I think I’d probably be rubbish as a professional pentester if I attempted it), I don’t expect to solve all that many of the challenges, at least not without getting some significant hints from elsewhere....

Securing REST API Endpoints (or 15 Steps to Avoid Another Optus) While I was working at Cosive, I wrote a blog post outlining some of the usual advice around securing REST API endpoints, with a particular view to preventing data leaks. This was inspired by the then-recent leak of customer personally identifiable information from the systems of Australian telecommunications outfit Optus. It was titled “Securing REST API Endpoints (or 15 Steps to Avoid Another Optus)”....

Deploying, and then Securing, the OWASP Juice Shop Application Summary I shall deploy the deliberately-vulnerable OWASP Juice Shop application to ’the cloud’, and then use various techniques and tools to (attempt to) secure it. Introduction OWASP Juice Shop is one of OWASP’s flagship projects, and is a deliberately-vulnerable web application. It is used to demonstrate various vulnerabilities that can exist in real applications (including the whole of the OWASP Top 10), for the benefit of all three of builders, breakers and defenders....