Testing applications becomes exponentially more challenging as they grow in size and complexity. Of course, different types of applications, such as microservices or monolithic applications, have subtle differences in testing approaches, as do testing APIs. Developers and AppSec professionals have many tools and techniques to accommodate applications of all sizes. Still, testing large applications at scale is challenging. Unlike smaller, self-contained applications, larger and more complex applications demand an extensive and multi-faceted testing strategy. The sheer volume of potential intera ..read more

APIs (Application Programming Interfaces) are the glue that holds applications and services together. With the growth of distributed, multi-tier architectures, APIs are a crucial piece of modern applications, usually encompassing a good chunk of an application's logic and business processes. One of the most popular architectural styles for building APIs is REST (Representational State Transfer), known for its simplicity, scalability, and stateless nature. RESTful APIs facilitate communication with internal applications, support data integration workflows, and play significant roles in app deve ..read more

Many developers are using Go (Golang) to build applications in the cloud—mostly because of the built-in concurrency, speed, and easy-to-understand syntax associated with the language. However, the same environment we deploy to has a plague: hackers trying to control said applications through Golang command injection attacks, XSS, and SQL injection attacks. This post explores the threat of Golang command injection to web application's integrity. Our initial efforts will be to expose the motive, nature, and logic of command injection attacks. Thereafter, we'll examine a few protective methods th ..read more

In the world of web development, single page applications (SPAs) have become the norm due to their dynamic and responsive nature. These entirely client-side GUI applications run in a desktop browser, and communicate with APIs to interact with data. But if they are client-side, why do we point our dynamic application security test (DAST) scanners at them? Aren’t the server-side APIs our real target? Learn why SPA scanning is fundamentally flawed, and how to dynamically test your APIs directly for fast, accurate results with thorough coverage of your real attack surface. The Evolution of Web App ..read more

When it comes to building software, speed is king. Getting to market quickly is usually a top priority for most organizations, and rightly so. But too often, security is treated as an afterthought in the software development life cycle, a hurdle to jump over at the last minute. This approach is risky and creates a frustrating bottleneck for everyone involved in the development cycle. The good news is that there's a better way. By shifting security “left” through "shift-left" testing and other means and integrating it into the early stages of development, we can build more secure products faste ..read more

If you look for the top web application frameworks on the internet, you'll find that most sources include Angular on their list. According to BuiltWith, there are over 1.5 million live websites using Angular. So it's pretty obvious why it would appear on the radar of attackers. Therefore, it becomes more important for you to take care of your Angular application's security.  A malicious actor can cause harm to a web application by taking advantage of vulnerabilities, logical flaws, etc. Fixing vulnerabilities and logical flaws are both in control of the application's owner. So it sho ..read more

We’re thrilled to offer customers the power of AI to maximize efficiency, and protecting customer data will always be our top priority. Our AI technology, HawkAI, conducts a non-intrusive analysis of your code repositories, ensuring your source code remains private and secure. HawkAI prioritizes data privacy by adhering to strict principles: No source code, sensitive data, or PII data is shared with third parties. No LLM Training: We don't use your data to train large language models. Code Integrity: HawkAI does not send code contents to 3rd parties. This ensures a powerful and secure ..read more

The Content Security Policy (CSP) is a security standard that helps protect and mitigate content injection attacks such as cross-site scripting (XSS), clickjacking, and more. You can use it to protect your Spring web applications by enabling specific HTTP headers. These headers enable web browsers to prevent attackers from injecting malicious code into the input data of a form, including URL parameters, field values, and other components. Cross-site scripting (XSS) is the most common type of content injection attack. It occurs when a website accepts user data without adequate validation, filte ..read more

A Kotlin web application that is vulnerable to cross-site scripting, or XSS, has weak points through which users can inject JavaScript code. Such weak points exist in web applications that accept user input. For example, you can find these kinds of weak points in online forums that allow users to post comments.  XSS is a common web application security vulnerability. It can lead to some serious issues like the exposure of sensitive user data stored in cookies.  In this post, we'll take a look at some examples of Kotlin XSS attacks. In addition, we'll look at how to prevent XSS attack ..read more

For developers striving to build secure APIs, Broken Function Level Authorization (BFLA) is a crucial vulnerability demanding meticulous attention. BFLA belongs to the OWASP API Security Top 10 list and can pave the way to unauthorized access and manipulation of functionality within your API, compromising the overall integrity of your system. This occurs when applications lack adequate authorization checks focused on specific functions or features. This weakness enables attackers to manipulate calls to endpoints to which they shouldn't have access, potentially escalating access to functions re ..read more