Posted on Leave a comment

Broken Access Control tops the OWASP Top 10

The Open Web Applications Security Project releases their top 10 vulnerabilities every 3 or 4 years. It contains the most common types of problems developments have inadvertently delivered in their web applications.

The next reiteration which is currently in draft contains Broken Access Control (BAC) as the number 1 issue web applications are susceptible to.

After analysing over 500,000 application data logs provided by OWASP supporters and friends of the project, the top 10 was decided using this data for 8 of the top 10 and 2 were from a survey proved to the industry.

What is Broken Access Control?

Broken Access Control is the method of modifying something that the app accepts by either impersonating someone or something someone else had.

For example, a user of the application may be the holder of a cookie or JWT (JSON Web Token) and the malicious actor gets hold of it, changes it to make a request and the application unwittingly fulfils it.

Another way is when the application has used bad practice and hidden fields instead of securely disabling them for a particular action and the malicious actor in this instance has the ability to take advantage of the applications features by modifying either the HTML, CSS or JavaScript using something as trivial as the console in the browser.

Posted on

Reclaim those Agent licenses to repurpose or lower your Zendesk bill

Thank you Zendesk. That’s why we love you.

Starting today, Zendesk have started to roll out the new Agent management page. And it looks great and is perfect for managing those stray licenses that aren’t being used.

View all your agents and their role in one place

You can even sort the Agents by last sign in date. Awesome!

Click the Filter button and you can easily start managing your massive directory of Agents by date, product or role.
How smart! Find Agents who have not even logged in! Sweet!

Not sure if this Team Members page is available for all. But we have already seen it in our Developer environment and client instances.

Well done Zendesk. Keep improving!