_As some of you may know, I've spent the last two years pursuing a Master Degree at DePaul University. As I near the end of my program, I decided to challenge myself by taking a class in an area I have limited hands on exposure to-Software Security Assessment. Sure, I've read about XSS, SQL Injections, Session Highjacking, Stealing Cookies but I've never actually sat down to get a complete hands on understanding of how these exploits work. Perhaps I was a bit apprehensive of this area as it requires programming skills that I lack. Using my limited knowledge of Python as encouragement, I decided to take this challenge head on!


The class that I'm taking focuses on how to approach a software security assessment and perform the common and not so common assessments, including:

* Spidering the application which is basically a download of all the application pages and code.
* Assessing client side vulnerabilities (XSS, Session Highjacking, Stealing Cookies, XML/SOAP injection,  Rouge File upload that can execute code)
* Assessing server side vulnerabilities  (SQL Injection, LDAP Injection, Directory Traversal, Application Authorization)

I've learned on how to use proxy tools such as the Burp Suite which allow an assessor to view all the code and parameters that are being passed as the user interacts with the application. I've performed my first manual spidering to assess all the inputs and outputs of an application and will soon be performing a full security assessment of a application from SourceForge.

Apple introduced their iPad 2 yesterday during a product launch at their Cupertino, CA headquarters. The device appears to be significantly improved in many ways: faster processor, more ram, slimmer, sleeker and at the same starting price of $499. Apple stated that they are poised to make a deeper push into corporate America. As mobile devices continue to penetrate deeper into corporate networks, security professionals such as myself are faced with challenges of securing such devices. What do you do when a user comes to you and says can I use my iPad on your network? You are faced with a decision on security:
* What type of policy does your company have for such requests?
* What type of risks would the company face for allowing the user to use their non-company provisioned device on your network?
* If you were to not allow the user to use the device, what measures do you have in place to actually enforce your decision?
* If you were to allow the user to access the network, do you have software that they must install so you can monitor their device?
Companies such as Mobile Iron offer solutions to allow corporations to secure non company provisioned devices.
These are just a few questions that security professionals must consider when faced with such a security decision.