This is AppSecInsider's Typepad Profile.
Join Typepad and start following AppSecInsider's activity
Join Now!
Already a member? Sign In
IBM Application Security Insider
Recent Activity
Crawling “classical” web applications is a problem that has been addressed more than a decode ago. Efficient crawling of web applications that use advanced technologies such as AJAX (called Rich Internet Applications, RIAs) is still an open problem. Crawling is... Continue reading
Posted Jun 19, 2013 at IBM Application Security Insider
In March 2013, we released version 8.7 of AppScan. One of the focus areas for that release was to improve the scalability and performance of the enterprise components of the solution, specifically the AppScan Enterprise Server and AppScan Enterprise Dynamic... Continue reading
Posted May 29, 2013 at IBM Application Security Insider
In this hands-on article, learn how to use IBM Security AppScan Standard with mobile user agents, as well as emulators and actual devices for Android and iOS. Continue reading
Posted Apr 17, 2013 at IBM Application Security Insider
2012 IBM CAS Project of the Year: Efficient and Scalable Mapping of Mobile and Complex Rich Internet Applications for Automated Security Testing The ability to “crawl” Web sites and Web applications is at the core of the Internet. Crawling is... Continue reading
Posted Jan 3, 2013 at IBM Application Security Insider
Mobile security can be tested in a variety of ways. You can apply black box testing to test the server side logic that your mobile app is working with, as we've recently blogged about. You can also apply static analysis... Continue reading
Posted Dec 10, 2012 at IBM Application Security Insider
IBM Security Appscan provides automated security scanning of web applications. Did you know that you can apply test policies within IBM Security AppScan to cover particular aspects of the scan? Using the right policy produces optimal scanning results and reduces... Continue reading
Posted Dec 3, 2012 at IBM Application Security Insider
If you have ever worked with an AppScan expert they probably got you to install the AppScan Traffic Viewer. This tool is the Swiss army knife of the AppScan Power user containing a multitude of support features and giving you... Continue reading
Posted Oct 15, 2012 at IBM Application Security Insider
If you’re the kind of person that likes taking a look under the hood, then get ready to dive into the new IBM Security AppScan Standard 8.6 and take a peek at what we did for this release. By the... Continue reading
Posted Aug 27, 2012 at IBM Application Security Insider
Let's talk about mobile security, shall we? We can see that smartphones and tablets are everywhere, taking their place as dominant collaboration devices in enterprises. Many organizations are struggling with understanding the implications of developing and deploying apps to new... Continue reading
Posted Aug 13, 2012 at IBM Application Security Insider
Once again, AppScan has proven to be the leader of web application security testing tools, in a recent benchmark of over 60 commercial and open-source tools published by Shay Chen. Attack vector comparison (taken from the WAVSEP benchmark review) The... Continue reading
Posted Aug 6, 2012 at IBM Application Security Insider
By Babita Sharma, Michael Hua Xiao Most modern web applications are built using web application frameworks, such as Enterprise JavaBeans (EJB), Apache Struts and JavaServer Faces (JSF). These frameworks simplify web application development by providing higher-level abstractions for common tasks.... Continue reading
Posted Aug 2, 2012 at IBM Application Security Insider
CVE-2012-0175 Background Windows File Association allows an application to define a handler that should be called for each operation on a specific file type. For example, WinRAR registers the file type .RAR in the following manner: The Open action defined... Continue reading
Posted Jul 16, 2012 at IBM Application Security Insider
HTML Sanitizing Information Disclosure - CVE-2011-1252 Introduction The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize HTML fragments from dynamic and potentially malicious content. If an attacker is able to... Continue reading
Posted Jul 8, 2012 at IBM Application Security Insider
Automated crawling of web applications is the first step in automating web application security analysis. Without a proper crawl, automated testing of vulnerabilities will reveal incomplete results (AKA "False Negatives"). Modern web technologies, like AJAX, result in more responsive and... Continue reading
Posted Jun 26, 2012 at IBM Application Security Insider
AppSecInsider has shared their blog IBM Application Security Insider
May 21, 2012
Anshum, Can you elaborate on the structure of the RESTful requests?
@Dotnetchris - have you bothered to look in the "Acknowledgments" section of the Microsoft security bulletin? It was *our team* that disclosed this to Microsoft. We then waited for Microsoft to patch this issue, and only then published the full details of the issue. That's called responsible disclosure. There's no FUD here, just technical details.
JSON rendering in Internet Explorer In the world of Web2.0 and mash web applications, security researchers come across more and more XSS vulnerabilities that are reflected in non HTML responses. For example, JSON responses are becoming more and more common,... Continue reading
Posted Oct 24, 2011 at IBM Application Security Insider
>>>> See the most recent results of the 2012 WAVSEP benchmark! <<<< Shay Chen, an Information Security consultant and blogger, recently published the latest results of his ultra-thorough web application security scanner comparison. The survey, covered 60(!) different open source... Continue reading
Posted Aug 3, 2011 at IBM Application Security Insider
As promised in my last blog post, we recently published a new whitepaper on the subject of client-side JavaScript vulnerabilities. Below you can find a short excerpt from the whitepaper: In the past 10 years, many whitepapers, research articles, and... Continue reading
Posted Jan 6, 2011 at IBM Application Security Insider
In a few weeks, our team is going to publish a new research whitepaper, which explores the prevalence of client-side JavaScript vulnerabilities such as DOM-based XSS, in real world web applications. For this research, we used a new IBM technology... Continue reading
Posted Nov 22, 2010 at IBM Application Security Insider
Just a quick fact correction - Quote: "When the WAF market started, PCI was the biggest driver and WAFs were seen as a “checklist technology.”" PCI DSS was first released in December 2004, while the first WAF (AppShield) was released in 1998.
1 reply
Background I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative. Technical Details... Continue reading
Posted Mar 23, 2010 at IBM Application Security Insider
AppSecInsider is now following The Typepad Team
Mar 15, 2010
I just read an awesome blog post at “Schmoilitos Way”, that describes a scenario, in which, someone ran a static analysis tool, found a vulnerability, patched it using a faulty input validation routine, and then re-ran the scan, this time... Continue reading
Posted Nov 17, 2009 at IBM Application Security Insider