OH: to SAST Tools. When dealing with "OWASP Top 10 A9 Using Components with Known Vulnerabilities" please, unless you have a POC, do not set the risk as "absolute" value. 1/3

I’m having difficulty making a call for a cheatsheet regarding guidance to HMAC a password before sending it over TLS. Please chime in here if interested and have expertise in this area github.com/OWASP/CheatShe….

Bypass SSRF protection with different encodings. A thread. 🧵👇

ncsc.gov.uk/blog-post/pass… looks like a solid list of breached passwords we plan to add as a open source reference to one of the ASVS sections. Are there other lists we should reference?

It's been a year since Damian Rusinek wrote a series of articles about #OAuth. We hope you still keep it secure 🛡 securing.pl/en/secure-oaut… #ITSecurity #appsec

I highly recommend check out this new OWASP® Foundation project github.com/commjoen/wrong… Kudos for Ben D. DeHaan Jeroen for creating this! #appsec #owasp

Sometimes you get to scratch an itch and take something off your backlog that's been bugging you! We're now using CSP nonces in an enforced policy over at Report URI 😎 scotthelme.co.uk/report-uri-is-…

(1/5) If you're using log4j library, you should bump it as soon as possible to 2.15+. Dangerous RCE has been spotted a few days ago and it can be used by literally ANY user just by logging an incoming data in some way. You should probably notify people you know about it #Java

ZAP needs your help! zaproxy.org/blog/2022-06-1…

Thank you Maria Ines Parnisari 🇨🇦🇦🇷 for adding Relationship-Based Access Control (ReBAC) to the Authorization cheatsheet! cheatsheetseries.owasp.org/cheatsheets/Au… #AppSec #OWASP #owaspcheatsheetseries OWASP® Foundation Jim Manico from Manicode Security

Who would be interested in building and publishing git-secrets and truffle hog rules based on #OWASP #WrongSecrets? (Asking for a volunteer)

a🧵 ⚠️Orgs with mature security programs⚠️ Want a masterclass in scoping/running a bug bounty program? Read more from a program owner, (former) bounty platform employee, and top bug hunter (me😂) 🚨 Retweet, follow, & like for more sec content! 🚨 1/x

We're launching a new VRP for Google's open source software, specifically focused on supply chain issues and build compromises. security.googleblog.com/2023/08/Announ… (this time with a proper link!)

🤬 XML Security in Java Turns out, it's crazy! Varying mitigations, security features that don't work as documented, and more Pieter De Cremer and Vasilii Ermilov give probably the most through treatment of Java XML security I've seen semgrep.dev/blog/2022/xml-…

☕ Java XML security can be quite a mess. 🧘 Sit down with our security researchers Pieter and Vasilii as they untangle XML security options across different XML parsers. 📓 semgrep.dev/blog/2022/xml-…

Excellent article with lots of OWASP Cheatsheet references! conjur.org/blog/environme…

As AppSec testing capabilities mature in our industry, intricate details and capabilities of various AppSec tools matter. Like does your SCA tool understand if the lib is exploitable or not? And I find that pros out there that understand this level of detail are rare.

Let's get the many OWASP Top 10's going again! If you are interested in contributing to any of the various OWASP Top 10's or Proactive Controls, please RSVP to one of these: Option 1 meetup.com/owaspfoundatio… Option 2 meetup.com/owaspfoundatio… Option 3 meetup.com/owaspfoundatio…

Chris Wysopal Jim Manico from Manicode Security Reachability is not exploitabiity. And even if we consider technically reachable, exploitable data flows, the security impact is encoded in the threat model, not code (is it in internal tool? Is the functionality only exposed to admin roles? Would anyone benefit from exploiting?)

Catch the replay of Xavier René-Corail's talk about #CodeQL at #CNSCon! To shift security left, empower your developers with the Security as Code approach. youtu.be/aKv08sAUNUs