Questions tagged [sdlc]
Integrating security practices into the Software/Systems Development Life Cycle. Security practices can be part of any or all of the requirements, design, implementation, testing, or operational phases of a development cycle.
9
questions
0
votes
0
answers
315
views
XSS Payload That Can Bypass Special Character Check
I developed the following C# algorithm to prevent XSS attacks:
private bool Is_There_XSS_Payload(string arg)
{
Regex regex = new Regex(@"^[a-zA-Z0-9]+$");
bool result = ...
- 1
1
vote
1
answer
2k
views
How to include OWASP Zap in CI/CD
Company wants to start improving security. Test team uses OWASP Zap tool (GUI version) to scan the new version for vulnerabilities. That usually takes between half an hour to 90 minutes.
How to ...
- 113
2
votes
1
answer
576
views
How to interpret "Verify the use of a secure software development lifecycle that addresses security in all stages of development"?
I've been looking at OWASP Application Security Verification Standard 4.0.2 for a while now, and I'm trying to understand all the checkpoints in detail.
I am not sure what exactly the author of a ...
- 23
2
votes
1
answer
200
views
Should we build a generic security unit test suite
As part of our secure SDLC, we are delivering security as security requirements directly into the backlog of an application team. The security requirements will directly correlate to the functional ...
- 21
3
votes
2
answers
846
views
SAST vs WAF: What should I choose?
Given the fact that I have a WAF already deployed, what is the benefit I could get by purchasing a SAST tool that would scan the engineers' code for security flaws?
Does this also apply for SCA tools ...
- 339
1
vote
2
answers
161
views
Security implications of source code location
Were working towards implementing a SDLC for a company and as in any complex environment there are differences of opinion for the new process. Some of the developers want to make use of one directory ...
- 1,224
6
votes
3
answers
234
views
Security Testing Methods for Enterprise Level
I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and ...
- 61
8
votes
1
answer
2k
views
Should I develop with TLS on or off?
I develop applications on my local computer that I later deploy to a TLS production server. Should I develop with TLS on or off?
- 2,356
4
votes
2
answers
656
views
Can results from DAST (Dynamic Application Security Testing) tools be false positive?
I know results from Static Application Security Testing (SAST) can be false positives or real and it is up to the security analyst and developer to decide which vulnerability is real based on the ...
- 79