In this episode, I go over what Double-ClickJacking is and what you can potentially do about it to reduce the risk to your applications. Will this be the new finding on everyone&apos;s pen tests this year?Paulos Yibelo first described Double-ClickJacking and you can read more from him at his post referenced below.References:Paulos Yibelo Blog: <a href='https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html'>https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html</a> <a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms">Send us a text</a>For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (<a href='https://x.com/developsec'>@developsec</a>). The DevelopSec podcast is brought to you by Jardine Software Inc.

<description>&lt;p&gt;In this episode, I go over what Double-ClickJacking is and what you can potentially do about it to reduce the risk to your applications. &lt;/p&gt;&lt;p&gt;Will this be the new finding on everyone&amp;apos;s pen tests this year?&lt;/p&gt;&lt;p&gt;Paulos Yibelo first described Double-ClickJacking and you can read more from him at his post referenced below.&lt;/p&gt;&lt;p&gt;&lt;b&gt;References:&lt;/b&gt;&lt;/p&gt;&lt;p&gt;Paulos Yibelo Blog: &lt;a href='https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html'&gt;https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;br/&gt;&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms"&gt;Send us a text&lt;/a&gt;&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (&lt;a href='https://x.com/developsec'&gt;@developsec&lt;/a&gt;).&lt;/p&gt; &lt;p&gt;The DevelopSec podcast is brought to you by Jardine Software Inc. &lt;/p&gt;</description>

In this episode, I go over what Double-ClickJacking is and what you can potentially do about it to reduce the risk to your applications.  Will this be the new finding on everyone's pen tests this year? Paulos Yibelo first described Double-ClickJacking and you can read more from him at his post referenced below. References: Paulos Yibelo Blog: https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html   Send us a text For more info go to https://www.developsec.com or follow us on X...

Ep. 124: Double-ClickJacking

In this episode, I talk about how security is a part of everyone&apos;s role and the labeling of &quot;Security Culture&quot;. I share some ideas on how to improve on role based security awareness and building stronger relationships between security and the rest of the organization.For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (@developsec).<a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms">Send us a text</a>For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (<a href='https://x.com/developsec'>@developsec</a>). The DevelopSec podcast is brought to you by Jardine Software Inc.

<description>&lt;p&gt;In this episode, I talk about how security is a part of everyone&amp;apos;s role and the labeling of &amp;quot;Security Culture&amp;quot;. I share some ideas on how to improve on role based security awareness and building stronger relationships between security and the rest of the organization.&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (@developsec).&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms"&gt;Send us a text&lt;/a&gt;&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (&lt;a href='https://x.com/developsec'&gt;@developsec&lt;/a&gt;).&lt;/p&gt; &lt;p&gt;The DevelopSec podcast is brought to you by Jardine Software Inc. &lt;/p&gt;</description>

In this episode, I talk about how security is a part of everyone's role and the labeling of "Security Culture". I share some ideas on how to improve on role based security awareness and building stronger relationships between security and the rest of the organization. For more info go to https://www.developsec.com or follow us on X (@developsec). Send us a text For more info go to https://www.developsec.com or follow us on X (@developsec).  The DevelopSec podcast is brought to you by Jardine ...

Ep. 123: Goals of Security Culture - Sort of?

In this episode I talk about assigning responsibility for secure development and how the dev and security teams should be working together to accomplish a common goal. I also discuss the importance of updating developer job descriptions and creating an expectation around developers having secure development experience.For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (@developsec).<a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms">Send us a text</a>For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (<a href='https://x.com/developsec'>@developsec</a>). The DevelopSec podcast is brought to you by Jardine Software Inc.

<description>&lt;p&gt;In this episode I talk about assigning responsibility for secure development and how the dev and security teams should be working together to accomplish a common goal. &lt;/p&gt;&lt;p&gt;I also discuss the importance of updating developer job descriptions and creating an expectation around developers having secure development experience.&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (@developsec).&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms"&gt;Send us a text&lt;/a&gt;&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (&lt;a href='https://x.com/developsec'&gt;@developsec&lt;/a&gt;).&lt;/p&gt; &lt;p&gt;The DevelopSec podcast is brought to you by Jardine Software Inc. &lt;/p&gt;</description>

In this episode I talk about assigning responsibility for secure development and how the dev and security teams should be working together to accomplish a common goal.  I also discuss the importance of updating developer job descriptions and creating an expectation around developers having secure development experience. For more info go to https://www.developsec.com or follow us on X (@developsec). Send us a text For more info go to https://www.developsec.com or follow us on X (@develops...

Ep. 122: Integrating Security Responsibilities into Development

In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.   Referenced Articles:<a href='https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/'> https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/</a><a href='https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets'> https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets</a><a href='https://www.theregister.com/2024/01/05/swatting_extorion_tactics/'> https://www.theregister.com/2024/01/05/swatting_extorion_tactics/</a>   For more info go to <a href='https://www.developsec.com'>https://www.developsec.com</a> or follow us on X (@developsec).   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.<a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms">Send us a text</a>For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (<a href='https://x.com/developsec'>@developsec</a>). The DevelopSec podcast is brought to you by Jardine Software Inc.

<description>&lt;p&gt;In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; Referenced Articles:&lt;/p&gt;&lt;p&gt;&lt;a href='https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/'&gt; https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;a href='https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets'&gt; https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;a href='https://www.theregister.com/2024/01/05/swatting_extorion_tactics/'&gt; https://www.theregister.com/2024/01/05/swatting_extorion_tactics/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; For more info go to &lt;a href='https://www.developsec.com'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (@developsec).&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms"&gt;Send us a text&lt;/a&gt;&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (&lt;a href='https://x.com/developsec'&gt;@developsec&lt;/a&gt;).&lt;/p&gt; &lt;p&gt;The DevelopSec podcast is brought to you by Jardine Software Inc. &lt;/p&gt;</description>

In this episode I talk about the evolving world of ransomware. I discuss a few examples of unique tactics the malicious actors are using to put pressure on organizations to pay the ransom.     Referenced Articles:  https://www.theregister.com/AMP/2024/04/30/finnish_psychotherapy_center_crook_sentenced/  https://www.darkreading.com/cyber-risk/hackers-weaponize-sec-disclosure-rules-against-corporate-targets  https://www.theregister.com/2024/01/05/swatting_extorion_...

Ep. 121 - Evolving Ransomware: Unique Tactics for Payment

In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved?   For more info go to <a href='https://www.developsec.com'>https://www.developsec.com</a> or follow us on twitter (@developsec).   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Transcript:In this episode, James talks about root cause analysis versus treating the symptoms.   Tackling the challenge to integrate security into the development process, looking for insights, answers and practical solutions to avoid getting overwhelmed. Welcome to the develop SEC podcast where our focus is your success in securing and improving development processes. And here&apos;s your host, James Jardine. Hey, everyone, welcome back to the show. Today, I want to talk about addressing the symptoms versus addressing the root problem. And I think in application security, or when we talk about secure development, this is something where a lot of times we address the symptoms, but we never really take the step back to address the actual root cause of what&apos;s causing those symptoms. And today, I want to actually talk about vulnerable third party components. This is something that has been kind of brought to the attention a lot more in the past few years, made it into the OWASP, top 10. And it&apos;s something I think everybody struggles with, we never know when we&apos;ll have a vulnerable third party component, because until somebody actually identifies a vulnerability, we just assume that we&apos;re good. And then on top of that, if there is a vulnerability identified, then we also run the chances that we&apos;re probably not even using that feature.  So vulnerable third party components are a really interesting aspect, when we think about secure development. Because there is a lot of unknowns, we may know that there&apos;s a vulnerability there. But the actual knowledge of do we use that piece and are we vulnerable, can be difficult, which, in the end, ends up adding a whole bunch of extra work and a whole lot of time for us to try to figure this out and address this stuff. And so this is where I talk about addressing the symptoms. In this case, in a lot of places, what we do is we address that symptom, we know that there&apos;s an issue of vulnerable third party components, right, that&apos;s the symptom, we have a vulnerable third party component. And so most places have some sort of process in place where we&apos;re going to identify these right, we&apos;re going to scan them all the time, whether using some of the common commercial tools, maybe you&apos;re using a free open source tool. But basically, the way it goes is I&apos;m going to scan my repos or I&apos;m going to scan my packages, and I&apos;m going to look for all the dependencies, and then I&apos;ll look at their dependencies, and we&apos;ll see if there&apos;s any known vulnerable components within these right. And that requires having some sort of CVE out there that says, hey, somebody has found this, they&apos;ve reported it, I remember requiring this to be a rep<a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms">Send us a text</a>For more info go to <a href='https://www.developsec.com/'>https://www.developsec.com</a> or follow us on X (<a href='https://x.com/developsec'>@developsec</a>). The DevelopSec podcast is brought to you by Jardine Software Inc.

<description>&lt;p&gt;In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved?&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; For more info go to &lt;a href='https://www.developsec.com'&gt;https://www.developsec.com&lt;/a&gt; or follow us on twitter (@developsec).&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt;&lt;b&gt;Transcript:&lt;/b&gt;&lt;/p&gt;&lt;p&gt;In this episode, James talks about root cause analysis versus treating the symptoms.&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt; Tackling the challenge to integrate security into the development process, looking for insights, answers and practical solutions to avoid getting overwhelmed. Welcome to the develop SEC podcast where our focus is your success in securing and improving development processes. And here&amp;apos;s your host, James Jardine. Hey, everyone, welcome back to the show. Today, I want to talk about addressing the symptoms versus addressing the root problem. And I think in application security, or when we talk about secure development, this is something where a lot of times we address the symptoms, but we never really take the step back to address the actual root cause of what&amp;apos;s causing those symptoms. And today, I want to actually talk about vulnerable third party components. This is something that has been kind of brought to the attention a lot more in the past few years, made it into the OWASP, top 10. And it&amp;apos;s something I think everybody struggles with, we never know when we&amp;apos;ll have a vulnerable third party component, because until somebody actually identifies a vulnerability, we just assume that we&amp;apos;re good. And then on top of that, if there is a vulnerability identified, then we also run the chances that we&amp;apos;re probably not even using that feature.&lt;/p&gt;&lt;p&gt;  &lt;/p&gt;&lt;p&gt;So vulnerable third party components are a really interesting aspect, when we think about secure development. Because there is a lot of unknowns, we may know that there&amp;apos;s a vulnerability there. But the actual knowledge of do we use that piece and are we vulnerable, can be difficult, which, in the end, ends up adding a whole bunch of extra work and a whole lot of time for us to try to figure this out and address this stuff. And so this is where I talk about addressing the symptoms. In this case, in a lot of places, what we do is we address that symptom, we know that there&amp;apos;s an issue of vulnerable third party components, right, that&amp;apos;s the symptom, we have a vulnerable third party component. And so most places have some sort of process in place where we&amp;apos;re going to identify these right, we&amp;apos;re going to scan them all the time, whether using some of the common commercial tools, maybe you&amp;apos;re using a free open source tool. But basically, the way it goes is I&amp;apos;m going to scan my repos or I&amp;apos;m going to scan my packages, and I&amp;apos;m going to look for all the dependencies, and then I&amp;apos;ll look at their dependencies, and we&amp;apos;ll see if there&amp;apos;s any known vulnerable components within these right. And that requires having some sort of CVE out there that says, hey, somebody has found this, they&amp;apos;ve reported it, I remember requiring this to be a rep&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" href="https://www.buzzsprout.com/twilio/text_messages/2449554/open_sms"&gt;Send us a text&lt;/a&gt;&lt;/p&gt;&lt;p&gt;For more info go to &lt;a href='https://www.developsec.com/'&gt;https://www.developsec.com&lt;/a&gt; or follow us on X (&lt;a href='https://x.com/developsec'&gt;@developsec&lt;/a&gt;).&lt;/p&gt; &lt;p&gt;The DevelopSec podcast is brought to you by Jardine Software Inc. &lt;/p&gt;</description>

In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved?     For more info go to https://www.developsec.com or follow us on twitter (@developsec).     DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.    Transcript: In this episode, James talk...

Ep. 120: Addressing Root Cause - Vulnerable Components

Curious about application security? Want to learn how to detect security vulnerabilities and protect your application. We discuss different topics and provide valuable insights into the world of application security.

DevelopSec: Developing Security Awareness

Details

Recent Episodes