Cross-platform frameworks, such as Apache Cordova, are becoming increasingly
popular. They promote the development of hybrid apps that combine native, i.e.,
system specific, code and system independent code, e.g., HTML5/JavaScript.
Combining native with platform independent code opens Pandora’s box: all the the
security risks for native development are multiplied with the security risk of
web applications.
If you want to learn more, visit our talk at the OWASP AppSecEU in Belfast.
Update: you can also watch the recording of our
talk!.
On the one hand, browser extensions, e.g., for Chrome, are very useful, as they
extend web browsers with additional functionality (e.g., blocking ads). On the
other hand, they are the most dangerous code that runs in your browsers:
extension can read and modify both the content displayed in the browser. As they
also can communicate with any web-site or web-service, they can report both data
and metadata to external parties. The current security model for browser
extensions seems to be inadequate for expressing the security or privacy needs
of browser users. Consequently, browser extensions are a “juice target” for
attackers targeting web users.
If you want to learn more, visit our talk at the OWASP AppSecEU in Belfast.
Update: you can also watch the recording of our
talk!.
The recording of the webinar on the benefits of applying security testing as
early as possible in software development are now available
online.
Do you want to join a world-class computer science department and help us to
establishment of an information and computer security research group? Then now
is the right time to
apply. We
have three Lecturer/Senior Lecturer/Reader to fill.
It is already the time of the year when you should prepare your submission to
the International Workshop on OCL and Textual
Modeling. The Call for
Paper is already published.
In the application security testing domain, the debate, if static application
security testing (SAST) is better than dynamic application security
testing (DAST) or interactive application security testing (IAST) is heating
up. But is this really the right question to ask?
I think it is not. Static approaches (e.g., SAST) and dynamic approaches
(e.g., DAST or IAST) to application security testing have fundamentally
different properties. Thus, the important question is, how can we combine SAST
and DAST/IAST to make an application security program as effective and
efficient as possible.
The there is a long and still ongoing battle between the verification
community and the testing community about the right approach to showing the
correctness of computer programs. Often, one side brings up the famous quote of
Edsger W. Dijkstra: “Program testing can be used to show the presence of bugs,
but never to show their absence!”
This quote is often used to manifest that verification is the holy grail of
program correctness and testing is necessary evil as a full verification is
often too expensive (even though, there are successful verification of, e.g.,
complete operating system kernels). But is this true?
Let’s do a small gedankenexperiment.
The proceedings of the International Workshop on OCL and Textual
Modeling (OCL 2016) are now
on-line as Volume 1759 of the
CEUR Workshop Series [1].
The proceedings contain 11 peer-reviewed papers presenting the latest
research related to Textual Modeling in general and the Object
Constrained Language (OCL) in particular. Moreover, the proceedings
also contain an invited paper [2]
that summarizes the lightning talks given during the open discussion
session at the workshop.
