Gavin Johnson-Lynn

Z-DaRT (Zero Data and Resource Trust)

TL;DR: "An application should assume zero trust in ALL data and resources that it consumes, no matter who created them, including internal staff" Software, in particular web-based applications suffer from a problem with trusting data and resources. Trusting Data Data coming from users

Edit JWT Online (setting algorithm to none)

Online editor for a JWT token to use the "none" algorithm. Edit the header and the payload, get the encoded output.

The Beginners Guide To Security Response Headers

Response headers are an important part of web security. There are lots of headers, some that apply just to requests, some just for responses and some that can appear in both. Some are only relevant to web pages, while others are also useful in

WebAPI

The API Security Problem

(Note: If you'd like more on the OWASP API Top 10 then take a look at my Pluralsight course on OWASP Top 10: API Security Playbook [https://pluralsight.pxf.io/o2z3o]) There are many things on the internet that don’t get the security

Pluralsight

OWASP API Top 10: Broken User Authentication

This is the second entry in the OWASP API top 10 (API2:2019) [https://owasp.org/www-project-api-security/]. In my development career, implementing authentication was always something I feared. It's an important part of an API and implementing something like OAuth 2.0 [https://oauth.

Pluralsight

Compiling the LaZagne.exe from Source

Problems creating the LaZagne exe file? Use this guide to help you!

Security

CVSS for Dev Teams

Penetrations test results (hopefully) contain CVSS scores. Here are some thoughts on how a dev team should look at them.

Efficiency

Choosing a Keyboard

Deciding on the right keyboard as someone with an office job. Here are the key points about choosing a keyboard - I decided on a Durgod Taurus K310

ApiTop10

OWASP API Top 10: Broken Object Level Authorisation

Understand how broken object level authorisation attacks work against an API, why they work and what the potential impact is..

Security

Defending from Forced Browsing…good reasons not to just hide restricted content

Secure coding to protect against forced browsing. Strong defences from forced browsing require controls such as Role Based Access. Here we explain how to mount a good defence!

Security

Hooking a Browser with the Browser Exploitation Framework (BeEF)

A quick guide to starting BeEF and running commands against a hooked browser

Security

Proxmark 3, Cloning a Mifare Classic 1K

Cloning a Mifare Classic 1k card using the Proxmark 3

Agile

Why do we Perform Secure Code Reviews

Why do we use secure code reviews, instead of just a generic code review?

Security

When Should we Perform a Secure Code Review?

Working in an agile environment we need to consider what we do and how important it is that we do it. We want efficiency, but not at the expense of quality. So when we think about secure code reviews we shouldn't assume they always

Agile

Who can Perform a Secure Code Review?

You need to pick the right person for a job. Here's how to find the right person for a secure code review.

Security

Agile Secure Code Review

Performing secure code reviews in an agile environment.

Agile

Agile Secure Code Review - References

A list of references that have been useful when writing about Secure Code Reviews. I haven't found much yet! * FxCop [https://en.wikipedia.org/wiki/FxCop] * OWASP Code Review Guide [https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents] * Pluralsight

Security

API Throttling

API request throttling limits the number of requests that can use your API. “Madness” you say, “intentionally stop requests from reaching my API?”

Security

Defence Against SQL Injection

How do you defend against SQL Injection? Have you only got one or two defences in place? Cover yourself from multiple angles and perhaps help your overall security stance too!

Security

Adding Depth to Security with Input Validation

Input validation is a simple yet powerful part of defence in depth. Discover how it helps improve the security of any service.

Security

Defence in Depth Meets the Software Development Life-cycle

Security in software development can get time consuming. Thinking about it in an Agile way can save time and may even be better...

Security

Authentication vs Authorisation, know the difference

Authentication vs Authorisation is one of the real basics of security, we've all got to start somewhere!

Security

The Intricacies of IP Whitelisting

What is an IP Whitelist? An IP whitelist restricts incoming traffic so that it may only arrive from an IP address or list of IP addresses. Traffic from any other address is ignored before any further processing. This is useful because you can immediately

Security

The Security of Champions

This is the third blog (first one here [https://www.gavinjl.me/is-your-business-unwilling-to-add-security-features-to-software/] , second one here [https://www.gavinjl.me/application-security-design-it-in-or-wedge-it-in-at-the-end/], third on here [https://www.gavinjl.me/security-degrades-over-time/]) from a meeting of the North-East England chapter of (ISC)2 [https://www.isc2.org/

Security

Security degrades over time

This is the third blog (first one here [https://www.gavinjl.me/is-your-business-unwilling-to-add-security-features-to-software/] , second one here [https://www.gavinjl.me/application-security-design-it-in-or-wedge-it-in-at-the-end/]) from a meeting of the North-East England chapter of (ISC)2 [https://www.isc2.org/], where security experts from the region used the

Subscribe to Gavin Johnson-Lynn