I've been a huge fan of OWASP for a very long time, having spoken at their conferences, contributed to their projects, consumed many of their resources and met some really awesome people along the way! Just recently, one of the very popular OWASP projects, the Application Security Verification Standard (ASVS)| Scott Helme
Generative AI and LLM technologies have shown […]| hn security
Learn the 10 biggest LLM security risks and practical fixes, in a 5-minute TLDR. Updated for OWASP 2025.| Promptfoo Blog
In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications.| Include Security Research Blog
What to Look for in a Bot Management Solution: Top 7 Selection Criteria How to Ensure Long-Term Protection Against Today’s Evolving Automated Attacks Today, bots are becoming more than just a security threat. Their contributions to very real lost revenue and customer dissatisfaction are now getting noticed in the boardroom. Many businesses are coming around […] The post Top 7 Selection Criteria for Automated Bot Prevention Solutions appeared first on Cequence Security.| Cequence Security
Explore the pitfalls of security champion programs and learn effective strategies to avoid common worst practices. Download the slides now!| SheHacksPurple
Learn how to enjoy vibe coding while avoiding common security pitfalls. Follow our practical security playbook to keep your AI-generated code secure.| Infisical Blog
Include Security's latest blog post covers Cross-Site WebSocket Hijacking and how modern browser security features do (or don't) protect users. We discuss Total Cookie Protection in Firefox, Private Network Access in Chrome, and review the SameSite attribute's role in CSWH attacks. The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.| Include Security Research Blog
In our team's latest blog post, we build a few examples that showcase ways in which memory corruption vulnerabilities could manifest in Delphi code despite being included in a list of "memory safe" languages within a paper published by the NSA. We cover how compiler flags and dangerous system library routines could affect memory safety while demonstrating Delphi stack/heap-based overflow examples and conclude with a few tips for developers to avoid introducing memory vulnerabilities in their ...| Include Security Research Blog
Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears!| Include Security Research Blog
Our latest post focuses on the command and control (C2) software frameworks used by professional offensive security red teams and criminal organizations alike. We dived into the source code of multiple high-profile, open-source C2s and discovered vulnerabilities in most of them. In this post, we provide a brief overview of C2 concepts, review the details of the frameworks' identified vulnerabilities (with nifty reproduction gifs included!), and conclude with some final thoughts about the curr...| Include Security Research Blog
Inspired by my own OWASP Sweden chapter talk last night, I learned more about Cyclomatic Code Complexity and did some practical experiments. Cyclomatic Code Complexity was described by Thomas J. McCabe in 1976. Read the Wikipedia entry for the entire Continue reading Cyclomatic Code Complexity→| Simon Josefsson's blog
FYI I love acronyms: acronym soup, acronyms al dente, acronym au jus… Acronyms FTW. So, when I started working on a new article for the IDPro newsletter, it only felt natural to tackle OWASP and IAM. O’ What, you ask? Let’s dive right in. What’s IAM? Most of the readership here is familiar with IAM: Identity & Access Management. I’ll refer back to IDPro’s book of knowledge for definitions. Turn to the terminology section for the following: In short, Identity & Access Management (I...| Harvesting web technologies
So I was briefly involved in some project that was probably built back in the early days of the web – back when most developers wrote vanilla PHP scripts and thought JQuery was cool, before the enlightened era of batteries included web frameworks like Rails or Laravel. I was faced with security practices so ancient […]| Bruceoutdoors Blog of Blots
Finding deserialization functions accepting user input can be exciting, but what's your plan if well-known gadget chains aren't an option for exploitation? In this post, we explore the process of building a custom gadget chain to exploit deserialization vulnerabilities in Ruby. The post Discovering Deserialization Gadget Chains in Rubyland appeared first on Include Security Research Blog.| Include Security Research Blog
Intro| Silent Signal Techblog
OWASP Top 10 doesn’t need an introduction: it’s certainly the most well-known project of the Open Web Application Security Project (OWASP), referenced by every single presentation, paper, brochure and blog post that is at least slightly related to web application security.| Silent Signal Techblog