Dina Shkolnik

Category //

Dina Shkolnik

Checkmarx Announces Enhancements to Software Exposure Platform

New Core Platform Capabilities Deliver Unified Policy Management, Cross-Product Correlation and Machine-Learning Based Automated Prioritization for Comprehensive Software Security at Scale SAN FRANCISCO – RSA Conference 2019 – Booth S1453 – March 5, 2019 – Checkmarx, the Software Exposure Platform

Read More »

Introduction to the AppSec Knowledgebase

Week after week, an increasing number of corporations and governments become the victims of cybercrime. These exploitations lead to losses of revenue and reputation which can are often impossible to recover for the affected organizations. The best defense in the

Read More »

The Game of Hacks

The Game of Hacks development was directed jointly by Checkmarx CTO Maty Siman and Asaph Schulman, VP of marketing. It’s based on the 2013 OWASP Top-10, one of the most comprehensive vulnerability references available today. In a nutshell, this is an interactive

Read More »

Top Sites to Learn Hacking (Legally)

1 – Bricks   Bricks is a deliberately vulnerable web app built on PHP and using a MySQL database, where each “brick” contains a security vulnerability to be mitigated. The project provides a platform for learning and teaching AppSec as

Read More »

AppSec Blogs to Learn From

Krebs on Security A Washington Post investigative reporter turned independent cybersecurity journalist, Brian Krebs regularly blows the covers off security breaches and schemes. His blog is an intriguing mix of posts on tips he’s received and security news we need

Read More »

Top AppSec Gurus on Twitter

Staying on top of the latest developments and innovation in application security is key. The following list of thought leaders is an excellent source of information that will help you implement a successful application security program.   Troy Hunt @TroyHunt

Read More »

OpenSAMM

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations devise and implement an application security strategy that is tailored to its specific needs and requirements. The resources provided by this model allows the evaluation of the

Read More »

BSIMM

Build Security in Maturity Model (BSIMM) is a software security measurement framework that helps organizations gauge their software security and build a maturity model based on actual data gathered from real-world software security initiatives. What is inside the BSIMM? It

Read More »

MISRA/MISRA C

MISRA C is a dedicated software development standard for the C programming language developed by MISRA. Its aims are to facilitate code safety, portability and reliability in the context of embedded systems, specifically those systems programmed in ISO C. There

Read More »

HIPAA

HIPAA defines how electronic (online) healthcare and administrative transactions should be executed by companies providing health plans and other health care provisions. This American legislation was signed by Bill Clinton in 1996 and has five main sections that cover the

Read More »

PCI DSS

The PCI DSS consists of a set of requirements that help create a secure environment for all companies that process, store or transmit credit card information. It was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover

Read More »

SANS 25

The SANS 25 list is a widely recognized AppSec benchmark. The vulnerabilities listed here are linked directly to their respective CWE origins. This means you can get an in-depth view into the vulnerability data (remediation costs, code samples, attack frequency,

Read More »

OWASP/OWASP TOP 10

The Open Web Application Security Project (OWASP) is an open-source appsec community. Its goal is to increase application security awareness. OWASP is the source behind the industry standard OWASP Top 10. More and more companies from various industrial sectors are embracing this vulnerability list, which consistently

Read More »

The Secure SDLC

More and more organizations are ditching the traditional sequential processes (i.e – Waterfall) for iterative development methodologies. This commonly involves Agile and DevOps methods, which are based on continuous delivery of software based on customer feedback. But traditional AppSec solutions

Read More »

SAST vs DAST

Why SAST? Better ROI since DAST works only after a build is reached. Wider Coverage. DAST can’t find non-reflective flaws (XSS). More effective in Agile, DevOps and CICD scenarios. Helps automate the security process and create a secure SDLC. Uses

Read More »

SAST vs PENETRATION TESTING

Why SAST? Better ROI since Penetration Testing can’t work till the app is up and running. Has a higher detection rate. Pen Testing needs many cycles. Offers faster scan results and non-dependent on the human factor. Requires less manpower and

Read More »

What Are The Top AppSec Solutions Available Today?

There are 5 main AppSec methodologies in use today. Penetration (Pen) Testing Manual Code Review Web Application Firewall (WAFs) Dynamic Application Security (DAST) Static Application Security Testing (SAST) Penetration (Pen) Testing – Penetration testing is a “hands on” methodology that combines

Read More »

How to Approach Application Security?

Application security has changed over the years. While initially dominated by Penetration (Pen) Testing and Manual Code Reviews, the evolution of programming has forced this industry to become more advanced. There are different ways to approach application security today. Security

Read More »

How will the AppSec Beginner’s Guide Help Me?

Whether you are a developer, an aspiring ethical hacker or an information security manager – understanding and implementing good application security is mandatory. We strongly recommend you make use of the information and resources in this AppSec Beginners Guide, which

Read More »

What is AppSec?

The modern web application is a complex piece of software that can contain millions of lines of code (LOC). The dynamic nature of these applications means that they can be exploited and manipulated if the code integrity is not up

Read More »

Cybercrime – Affecting Organizations Worldwide

With more and more organizations offering their services via online channels, cybercrime has picked up significantly. Banking, e-commerce, retail, health, defense, government, transportation and other websites have given hackers (and commercial attackers) a large choice of potential targets to exploit.

Read More »

Session Hijacking

Session Hijacking is the exploitation of the web session control mechanism, where the hacker exploits vulnerable connections and steals HTTP cookies to gain unauthorized access to sensitive information/data stored in web servers. This kind of attack, also known as Cookie

Read More »

Session Fixation

This hacking methodology basically involves the taking over of the victim’s session with the web server after he’s logged in. This is made possible by exploiting limitations in the application’s Session ID (SID) management. While authenticating a user, the vulnerable

Read More »

Path Traversal

Path Traversal attacks are made possible when access to web content is not properly controlled and the web server is compromised. This is basically an HTTP exploit that gives the hackers unauthorized access to restricted directories. They eventually manipulate the

Read More »

LDAP Injection

Lightweight Directory Access Protocol (LDAP) is an open and vendor-neutral directory service protocol that runs on a layer above the TCP/IP stack. It provides the appropriate mechanism for accessing and modifying data directories, things that are commonly used today while

Read More »

OS Command Injection

OS Command Injection attacks occur when the hacker attempts to execute system level commands through a vulnerable web application.  These high impact server/application injections help the hacker to bypass administrator privileges and execute malicious OS commands. Just like SQL injections,

Read More »

Cross-site Request Forgery (CSRF)

CSRF attacks manipulate the inability of the web applications to authenticate user access, putting entire networks at risk. This session-riding, which allows the hacker to use an active session of the victim to perform actions on his behalf without his

Read More »

Privacy Violation

Despite security regulations (OWASP Top-10, PCI DSS, HIPPA, MISRA, etc) that are being enforced in the various industrial sectors, privacy violation is still a common occurrence today. Passwords, certificates, credit card details, social security numbers, addresses, mobile numbers and email

Read More »

SQL Injection (SQLi)

SQL Injections, which have been appearing in the OWASP Top-10 for years, are basically unsanitized user input vulnerabilities. These maliciously complied SQL statements are used to illegally communicate with the application’s database for harvesting information, manipulating data and in many

Read More »

Cross-Site Scripting (XSS)

XSS attacks occur when malicious code is injected into trusted/well-known websites. It utilizes the user’s browser as its breeding ground, with the malware being transferred in the form of browser side scripts. XSS payloads trick the victim’s browser into executing

Read More »
Skip to content