Hello. If you are just joining for the first time, welcome. There is no else for this first edition.

General Application Security

WebSockets
I’m looking at WebSockets again, so I thought I should promote a tool that does not appear to have received much attention yet: PortSwigger’s WebSocket Turbo Intruder. You can watch my intro video here.

Standards and Discussions

OWASP ASVS
Having just spent some time with some of the project group, I will recommend a practice I have found valuable. Consider watching the discussion on the ASVS GitHub project. The discussion is always interesting even just to see different perspectives. Here is an example on HSTS preloading.

AppSec Teams

Checklists
Deployed correctly, checklists can reduce error in complex, human-driven tasks. There are two obvious challenges with checklists: compliance and content.

Lack of use/compliance with checklists is common failure and can have a major impact on on error/performance. The obvious solution – mandating checklist completion – isn’t an effective control if the checklist can be completed without having actually satisfied the corresponding condition(s) required for completion.

The second major challenge is content. What are the actual checks that should make up a checklist. This is not easy to answer without an empirical approach or some form of feedback mechanism, so the best (or easiest) answer is probably expert consensus (or what feels right). There is obviously a balance to be reached between insufficient error prevention and burdensome waste of time.

We are increasingly working to make checklists dynamic (engagement-specific) to reduce the burden of unnecessary checks and hopefully improve actual compliance. I will share more on this eventually, but the process has not been designed with any empirical validation in mind. Sometimes, you just have to get the work done and go by feel.

OWASP Global AppSec Lisbon
I just delivered a talk on building application penetration testing teams (I am currently in the Lisbon airport sitting across from a circus-themed sardine store and reconnecting to the WiFi every minute). I assume OWASP will drop it on YouTube, but I never actually confirmed this.