Architecting Security

Web Application Security Check List, version 2

Emin — Wed, 11 Jan 2012 12:40:28 +0000

OWASP-Turkey published in 2010 a check list for web application security which provides various security controls for web application developers and system administrators. It was planned to create the second version of the check list. I have been involved in the project and within the past 6 months we have worked on the new check [...]

Mahremiyet İhlalleri – 1 (Privacy Violations)

Emin — Mon, 14 Nov 2011 15:11:19 +0000

Kişişel bilgilerin mahremiyeti dünyada birçok yerde olduğu gibi ne yazıkki Türkiye’de de pek dikkat edilmeyen ve de kolayca zaafiyete uğratılan bir konudur. Toplum genelinde mahremiyet bilinci oluşmadığından devlet kurumları olsun özel kurumlar ya da kişiler olsun ellerinde var olan kişişel bilgilerin mahremiyetini gözardı edip erişimin herkese açık olduğu İnternet ortamında bu bilgileri paylaşabiliyorlar. Bunun en [...]

Book Review: Secure and Resilient Software Development

Emin — Sat, 30 Jul 2011 16:53:37 +0000

I have completed the review of the book “Secure and Resilient Software Development” for IACR (International Association for Cryptologic Research) book review program. The review can be summarized as follows: This book is a “must read” resource for security experts focusing on application security and for application designers and developers who need to integrate security [...]

Book Review: Architecting Secure Software Systems

Emin — Wed, 13 Apr 2011 16:13:10 +0000

I have recently completed the review of the book “Architecting Secure Software Systems” for IACR (International Association for Cryptologic Research) book review program. The review can be summarized as follows: This book focuses on both theoretical and practical aspects of designing secure software systems. While its theory part is quite well-written, its practical part is [...]

Secure Coding Guidelines for Java

Emin — Mon, 14 Mar 2011 19:14:29 +0000

I have published an (Turkish) article about secure coding guidelines for Java within OWASP-Turkey Documents. The article aims at helping IT-architects and developers to understand the main security aspects during design and development phases. The guideline contains generic countermeasures (e.g. Do not write repeated codes) as well as Java-specific countermeasures (e.g. How to use doPrivileged() [...]

Secure Software Development with SAMM

Emin — Thu, 03 Feb 2011 13:07:36 +0000

SAMM (Software Assurance Maturity Model) is an OWASP project and provides well-structured strategy and guidelines for integration of security within software development processes. In the 7th issue of Web Security Magazine managed by OWASP-Turkey, I have written an introduction article to SAMM. In this article, I focused mainly on the following topics: What is SAMM [...]

Feedbacks from Application Pentest

Emin — Tue, 07 Dec 2010 16:02:08 +0000

I have recently completed penetration testing of a SAP portal application for a customer. It was a short-time (5 days) assignment which required execution of tool-supported automatic pentest (with IBM Appscan), manual pentest and preparation of final presentation that explains findings and countermeasures. In such short time pentests, it is very important that test plan [...]

Password Patterns

Emin — Fri, 10 Sep 2010 23:01:21 +0000

In December 2009, a critical data breach in the Internet has been experienced. Around 32 million user passwords of rockyou.com web portal were stolen by a hacker which had used SQL injection for his attack. He got all passwords and made them anonymously (i.e. without usernames) available in the Internet to download. Security experts started [...]

Encryption with Enterprise Security API (ESAPI)

Emin — Thu, 12 Aug 2010 22:30:06 +0000

OWASP Enterprise Security API (ESAPI) provides a security control library for helping programmers to integrate security into their applications. It is not a new framework, but it provides a common interface and reference implementations that can be benefited from other frameworks. Security is a complex issue. The “weakest chain” is a well-known problem. If you [...]

My Comments for Security Reportage

Emin — Mon, 05 Jul 2010 00:11:08 +0000

There is a series of security reportages organized by Turkish network security community and published within their security bulletins. For the 25th issue, I have given my comments for the following questions in the reportage: Can you introduce yourself? How did you start working on security? How do you see information security in Turkey? What [...]