Threat modeling is really just a fancy way of saying: “Let’s think about what could go wrong with our software in advance, so we can stop it before it happens.” When we build applications, most of …| SheHacksPurple
In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications.| Include Security Research Blog
Let's understand uncontrolled resource consumption vulnerability| hugs4bugs
Let's understand what is Snyk Broker and how it's solving enterprise problems| hugs4bugs
Explore the pitfalls of security champion programs and learn effective strategies to avoid common worst practices. Download the slides now!| SheHacksPurple
Saturday April 26th 2025 through to Friday May 2nd I attended RSAC and B-Sides San Francisco, and it was amazing! Let me tell you about my trip!| SheHacksPurple
I am employed as a Principal Security Architect at Adobe at the time I published this article. All opinions are my own. During BSides Salt Lake City 2025 I’ve hosted a workshop to practice interviewing skills for application security / product security. Application Security interviews can be challenging, but the right preparation can set you apart. In this hands-on workshop, you’ll tackle real-world AppSec scenarios through interactive mock interviews designed to build your confidence and...| Florian Noeding's blog
Include Security's latest blog post covers Cross-Site WebSocket Hijacking and how modern browser security features do (or don't) protect users. We discuss Total Cookie Protection in Firefox, Private Network Access in Chrome, and review the SameSite attribute's role in CSWH attacks. The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.| Include Security Research Blog
It’s been a long time since I last wrote on my personal blog, but I’ve been busy creating tons of content! I figured it’s time to share everything I’ve been working on over the past nine months—eve…| SheHacksPurple
In our team's latest blog post, we build a few examples that showcase ways in which memory corruption vulnerabilities could manifest in Delphi code despite being included in a list of "memory safe" languages within a paper published by the NSA. We cover how compiler flags and dangerous system library routines could affect memory safety while demonstrating Delphi stack/heap-based overflow examples and conclude with a few tips for developers to avoid introducing memory vulnerabilities in their ...| Include Security Research Blog
Black Hat to Def Con, Diana Initiative to SquadCon, invites to see Tanya all week long!| SheHacksPurple
June 15 & 16th, 2024, I was in beautiful Vancouver Canada with my colleagues Amanda McCarvill and Brandan Wu for the annual, local, moving conference that spreads the Pacific North West to give a talk, but it turned into so much more: OWASP AppSec PNW! The night before was the speaker’s dinner, where I got… Continue reading Trip Report: OWASP AppSec PNW| SheHacksPurple
Hey there, fellow security folks! I’ve got some absolutely incredible news to share with you today. Brace yourself, because I guarantee you’ll be just as excited as I am. Drumroll, please… introducing Semgrep Academy! Are you ready to learn all things application security, secure coding, API security, static analysis, and maybe even some functional programming?… Continue reading Level Up Your AppSec Skills with Semgrep Academy!| SheHacksPurple
Our team hacks space heater firmware updates over wifi in the latest Include Security blog post. We break down, literally and figuratively, each step of the attack to demonstrate how anonymous users on the same wireless network as an affected space heater could overwrite its firmware causing it to behave in unpredictable and potentially dangerous ways!| Include Security Research Blog
Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears!| Include Security Research Blog
Our latest post focuses on the command and control (C2) software frameworks used by professional offensive security red teams and criminal organizations alike. We dived into the source code of multiple high-profile, open-source C2s and discovered vulnerabilities in most of them. In this post, we provide a brief overview of C2 concepts, review the details of the frameworks' identified vulnerabilities (with nifty reproduction gifs included!), and conclude with some final thoughts about the curr...| Include Security Research Blog
GraphQL has no security by default. All doors are open for the most basic attacks. Read more to learn about the exact threats and some simple strategies you can implement to get your users' data under lock and key 🔐| Escape - The API Security Blog
Are you looking to make your API security program stronger? Our detailed API Security Checklist is here to help.| Escape - The API Security Blog
Discover our in-depth guide on application security audits, systematic evaluations conducted to assess the security posture of applications.| Escape - The API Security Blog
How to use Ghidra's Version Tracking to avoid reverse engineering binaries from scratch when a new software version is released.| LRQA Nettitude Labs
Legit Security | Why Legit Security Immediately Joined Google’s New Coalition for Secure Artificial Intelligence (CoSAI). Get details on CoSAI and why Legit chose to be a part of this forum.| www.legitsecurity.com
Legit Security | Security Challenges Introduced by Modern Software Development. Understand how modern software development is changing security threats.| www.legitsecurity.com
Finding deserialization functions accepting user input can be exciting, but what's your plan if well-known gadget chains aren't an option for exploitation? In this post, we explore the process of building a custom gadget chain to exploit deserialization vulnerabilities in Ruby. The post Discovering Deserialization Gadget Chains in Rubyland appeared first on Include Security Research Blog.| Include Security Research Blog
Discover the value of developer security training for developers and effective strategies for fostering a secure software development culture.| Escape DAST - Application Security Blog
Learn how Datadog SCA enables teams to secure application services.| Datadog
Explore the definition of business logic, its flaws, the differences with application logic, and how to prevent business logic attacks.| Escape - The API Security Blog