Chrome has announced a few changes that we need to watch out for in the near future. We previously talked about the default value for samesite that is coming up fast. I wrote about this here: https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/ Also, they are getting ready to start blocking mixed content downloads: https://blog.chromium.org/2020/02/protecting-users-from-insecure.html

It was recently announced that Chrome was dropping the XSS Auditor in Chrome 78. What does that mean and how does that change things for you as a developer?   https://www.chromium.org/developers/design-documents/xss-auditor For more info go to https://www.developsec.com or follow us on twitter (@developsec).

In 2020, Chrome will default the SameSite attribute to Lax on all cookies. SameSite helps mitigate CSRF, but does that mean CSRF is Dead? For more info go to https://www.developsec.com or follow us on twitter (@developsec).

In this episode, James talks about investing in the development teams to increase application security priorities. For more info go to https://www.developsec.com or follow us on twitter (@developsec).

In this episode, James talks about some of the risks and recommendations around security questions and their implementation.  For more info go to https://www.developsec.com or follow us on twitter (@developsec).

Does your application give away details about it server, framework, or other components?  How is this information used by an attacker? Check out this episode to learn more.

Would you know if someone authenticated to your account? With the breaches we see in the news, and attacks like credential stuffing, there must be a way to be alerted to account access. James talks about authentication alerts, what they are, and why you may want to use them.

James discusses how implementation matters with security controls and how it changes priorities. This came about after reading the following story:  https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug For more info go to https://www.developsec.com or follow us on twitter (@developsec).

I talk about some of what happened in 2018 and what I am looking to do in 2019. I also ask you to think about your previous year and goals. I also talk about some new training I am providing.

In this episode James talk about the Dunkin Donuts Perks breach. This is an interesting situation as the accounts were access using the victim's username and password found from another data breach. The issue: Password Reuse.  Could D&D have prevented this? Listen in to hear my thoughts.  Please feel free to share your thoughts as well.

In this episode James talks about what credential stuffing is, how if affects your apps, and how you can look to defend against it.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email [email protected] for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

James talks about the Facebook breach and shares some insights into how you can take steps to prevent this type of incident in your applications.  For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email [email protected] for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

I sit down with Eric Johnson to talk about security in the IDE and other fun topics. A bit longer than usual, but full of great information.  You can reach out to Eric on twitter @emjohn20  or check out his site at https://www.pumascan.com.

James sits down with Julien Vehent to discuss his new book "Securing DevOps" and talk about security in a devOps world.  Julien (@jvehent) is a security architect and engineering manager with over 15 years of experience in large organizations and web companies. He is currently responsible for the operational security of Firefox's backend infrastructure at Mozilla, and is the author of Securing DevOps.

The headlines are filled with credential breaches. One way to avoid being those headlines is to not store credentials. Instead, use a 3rd party to authenticate your users. While this cuts a lot of work out of your development time, it is important to understand the pros and cons to each method. James talks through some of these risks to help better understand which method might be right for you.

In this episode James introduces us to the idea of web security policies stored in a security.txt file. We have talked about vulnerability disclosure before and this ties directly into that conversation.

In this episode, James shares a story of learning from a mistake and how we can't be right every time. Hear what he learned and how you can learn too.

In this episode we talk about choosing the right security tools for your environment. There are lots of vendors offering solutions to help identify security issues within our applications. The trick is to learn to identify which ones make the most sense for your environment. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program.

In this episode, James talks about what it means to shift left in the SDLC. 

In this episode we talk about efail and the HYPE around security news.    For more info go to https://www.developsec.com or follow us on twitter (@developsec). Join the conversations.. join our slack channel. Email [email protected] for an invitation.   DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.

In this episode, James shares his thoughts on an interesting scam potential was brought up regarding Gmail and Netflix. A lot of the discussion is on a unique Gmail feature most haven't heard of. James breaks this down in this episode. The original story was shared at  https://www.theregister.co.uk/2018/04/10/gmail_netflix_phishing_vector/