And what subdomain takeovers mean for your SameSite cookies — I published an article a while ago about how Chrome is making SameSite the default behavior for cookies to prevent Cross-Site Request Forgery (CSRF) attacks. After that, jub0bs reached out to me about how the nuances of SameSite can leave websites vulnerable. Thanks for bringing this issue to my attention! …

Interview with Shinesa Cambric, Principal Product Manager at Microsoft — Our guest today, Shinesa Cambric, is an IT security professional who is passionate about designing roadmaps for identity and access management programs, and architecting security strategies for emerging technologies. In this episode of Sources and Sinks, Vickie Li, developer evangelist at ShiftLeft, interviews Shinesa about her research in identity and…

Launching your career in cybersecurity with self-study — Our guest today, Jasmine Jackson, is an experienced cybersecurity professional who got her start through self-teaching. Looking at Jasmine’s resume right now, it’s difficult to imagine that she was not able to find a job at all when she first started in the field! Jasmine has a technical background, but…

Spring unauthenticated RCE via classLoader manipulation — A critical zero-day vulnerability in the Spring framework was recently reported to Spring’s maintainer, VMWare. The vulnerability is an unauthenticated remote code execution vulnerability that affects Spring MVC and Spring WebFlux applications. You can find the CVE here: https://tanzu.vmware.com/security/cve-2022-22965. What is affected? The Spring4Shell RCE vulnerability allows attackers to execute code on applications…

The most common vulnerabilities to look out for in Angular and React applications: template injection, XSSI, authentication bypass, and more. — Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting.

Passionate about securing software? Become an AppSec Ambassador! — Interested in helping developers write secure code from the start? ShiftLeft has launched a program to support you in the mission of helping your community write secure code. We will be financially supporting conference speakers, content creators, and infosec influencers. Read on to find out more! The ShiftLeft conference scholarship

25 vulnerabilities to look out for in Node JS applications: Directory traversal, prototype pollution, XSSI, and more… — Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting. Thankfully, most real-life vulnerabilities share the same root causes. And by…

OWASP leader Vandana’s tips for navigating your career in infosec — Our guest today, Vandana, holds a lot of impressive titles. She is the Chair of the OWASP Global Board of Directors, and she also leads multiple infosec Diversity Initiatives like InfosecGirls. But how did she get from an infosec newbie to the leader of OWASP and the keynote speaker at…