• Getting started with ZAP and the OWASP top 10: common questions

    Dan Cornell, Coalfire

    I recently received an email from a developer who was gearing up to use OWASP ZAP to test the security of their code. The developer had some questions about OWASP ZAP, testing for the OWASP Top 10 2013, and ZAP configuration. After I answered the email, I asked if I could repost it here because I thought it might be a useful resource for other developers getting started using ZAP – so here we go... Read more
  • Android: DNS setup for developing and testing against local web services

    Dan Cornell, Coalfire

    Most “interesting” smartphone applications do not run only on the smartphone device; they rely on supporting web services that can be run both by the deploying organization and 3rd parties. One of the challenges we have run into when developing Android application is setting up a suitable development environment because of issues resolving DNS entries for test versions of services. Read more
  • Command injection in java: 80% proven that it is 100% impossible (sometimes)

    Dan Cornell, Coalfire

    I was reading Alex Smolen’s blog the other day and ran across the post “Command Injection Impossible in Java and .NET?”  Interesting stuff!  In an effort to avoid doing work I should actually be doing, I decided to look into it a bit more. Read more
  • Properties of secure hash functions

    Thought Leadership Team, Coalfire

    The news of NIST and their SHA-3 algorithm competition and a recent lunch and learn at Denim Group reminded me of the Cryptographic lectures I gave at UTSA. One of the hardest concepts my students had grasping was secure cryptographic hash functions, partially because of the number theory, but also in differentiating between the three properties of a secure hash function: collision resistance, preimage resistance, and second preimage resistance. Read more

Recent Posts

Post Topics