OWASP's LLM AI Security & Governance Checklist: 13 action items for your team

Artificial intelligence is developing at a dizzying pace. And if it's dizzying for people in the field, it's even more so for those outside it, especially security professionals trying to weigh the risks the technology poses to their organizations. That's why the Open Web Application Security Project (OWASP) has introduced a new cybersecurity and governance checklist for those security pros who are striving to protect against the risks of hasty or insecure AI implementations. https://jpmellojr.blogspot.com/2024/04/owasps-llm-ai-security-governance.html

An Overview of Burp Suite: Acquisition, Features, Utilisation, Community Engagement, and Alternatives.

Introduction:

Burp Suite is one of the strongest web application security testing software tools used by cybersecurity experts, as well as ethical hackers. PortSwigger created Burp Suite, which provides potent scanning, crawling, and exploiting tools for web application vulnerabilities.

What is Burp Suite?

Burp Suite is one of the tools to conduct security testing of web applications. It assists security testers in detecting vulnerabilities and weaknesses like SQL injections, XSS, CSRF, etc.

Steps in Obtaining Burp Suite

Burp Suite is available for download on the PortSwigger official website. It is available in three versions:

Community Edition (Free)

Professional Edition (Subscription-Based)

Enterprise Edition (For Organisations)

Important Tools in Burp Suite

Proxy – Captures browser traffic

Spider – Crawls web application content

Scanner – Scans automatically for vulnerabilities (Pro only)

Intruder – Performs automated attack activities.

Repeater – Manually send requests.

Decoder – Translates encoded data.

Comparer – Compares HTTP requests/responses

Extender – Allows extensions through the BApp Store

How to Use Burp Suite

Set your browser to use Burp Proxy.

Capture and manipulate HTTP/S requests.

Utilise tools such as Repeater and Intruder for testing.

Scan server responses for risks.

Export reports for audit purposes.

Burp Suite Community

Burp Suite has a highly engaged worldwide user base of security experts. PortSwigger Forum and GitHub repositories have discussions, plugins, and tutorials. Many experts are contributing through YouTube, blogs, and courses.

Alternatives to Burp Suite

If you're searching for alternatives, then look at:

OWASP ZAP (Open Source)

Acunetix

Netsparker

Nikto

Wfuzz

Conclusion:

Burp Suite is widely used for web application security testing. Mastery of Burp Suite is one step towards web application security for both novice and professional ethical hackers.

Top API Security Challenges in 2025 and How to Overcome Them

Explore the leading API security threats of 2025 and discover best practices to safeguard your applications against evolving cyber risks.

How to use OWASP Security Knowledge Framework | CyberSecurityTV

Unlock the secrets of cybersecurity with our latest video on using the OWASP Security Knowledge Framework! 🛡️💻 Join CyberSecurityTV as we dive deep into practical tips and techniques to enhance your security game. 🚀 From threat modeling to secure coding practices, this video has it all! ��� Don't miss out on this valuable resource for strengthening your defenses against cyber threats. Watch now and level up your cybersecurity expertise!

ZAP Active Scan | CyberSecurityTV

🌟ZAP is an open-source proxy tool for the penetration testing. One of the most useful features is the active scan using the OWASP ZAP. It is very important to know how to configure form-based authentication and scan all the relevant pages.

Best Practices for Writing Secure Codes for Mobile Apps

Writing Secure Code is Vital for an app developer. There have been numerous encounters with apps that were hacked and leaked private user's information. An app developer needs to be aware of the possible threats in the cyber world. Develop/ Write Codes that are up to mark to ensure security. You must have complete knowledge of the potential dangers only then precautions can be taken to reduce those risks. While you are developing an app/ software, Mobile app security or user's device security should be the priority.

 The best practices for writing secure code for mobile app security.

HTTPS (Hypertext Transfer Protocol Secure)

Hypertext Transfer Protocol Secure is a secure and traditional method to transport data from a web browser to a website. HTTPS is categorised as the safer version of HTTP. It is a combination of HTTP and TLS or SSL protocol. HTTPS makes sure that the communication is completely encrypted. Encrypted communications ensure that no one knows what you are talking about online, or what you are searching for.

HTTPS Encrypted Codes beat network sniffing attacks by obscuring the web traffic’s meaning from everyone. The traffic is seen by the hacker, but it emerges as the rush of random bytes instead of text form of HTML, links, cookies, passwords, XML or JSON body. Mobile app developers must use HTTPS-encrypted codes and abstain from using HTTP links.

 Different Channels of Communication.

Mobile app developers should not use only one channel of communication for security. By using just one channel of communication, it gets easier for hackers to perform malicious activity. Therefore It is best to use different communication channels for sharing private information like passwords, OTP's or PINs. You can use GCM, SMS or APNS to share OTPs or PINs.

 Validation of SSL Certificates.

An SSL certificate allows websites to use HTTPS codes. Purchase an SSL certificate from an authentic provider. SSL certificates are a verification of your authenticity in the web world. Nowadays, it is easier to fake identity and pretend to be someone you are not. 

 List of Secure Coding Practices by OWASP

Memory Management

Input Validation

File Management

Output Encoding

Database Security

General Coding Practices

Error Handling & Logging

Data Protection

Communication Security

Authentication 

Password Management

Verify Data

Inspecting the originality of the file and data transported between the mobile app and server is essential to the mobile app’s security. Applying hash functions can enhance security. Checking the data and using different modes of communication to deliver the hash functions.

Writing Codes

Adopting best practices for writing secure code is necessary for secure mobile app development. By prioritizing Security while developing a mobile app, you can tackle potent cyber risks and Ensure the data is safe. 

มาตรวจสอบช่องโหว่ด้วย OWASP ZAP กัน

OWASP ZAP (Zed Attack Proxy) เป็นเครื่องมือที่ใช้สำหรับการทดสอบความปลอดภัยของแอปพลิเคชันเว็บ โดยสามารถใช้งานในการตรวจสอบช่องโหว่ความปลอดภัยต่างๆ ที่อาจเกิดขึ้นกับเว็บแอปพลิเคชัน ในกรณีที่คุณต้องการทดสอบความปลอดภัยของเว็บแอปพลิเคชันของคุณด้วย OWASP Zap นี่คือขั้นตอนที่คุณสามารถทำตามได้ ดาวน์โหลด OWASP Zap ได้จากเว็บไซต์ของ OWASP ที่ https://www.zaproxy.org/download/ เริ่มต้นใช้งาน OWASP Zap…

View On WordPress

OWASP ZAP: Tu Escudo Invisible contra las Amenazas Web

Imagina tu sitio web como un castillo medieval. Los hackers son los invasores que buscan cualquier brecha para acceder a tus valiosos datos. OWASP ZAP (Zed Attack Proxy) es como un ejército de guardias virtuales, vigilando cada rincón de tu castillo digital y detectando cualquier amenaza antes de que cause daños. En este artículo, desentrañaremos los misterios de esta poderosa herramienta y te…

Chat Playground project lets security teams toy with gen AI

Explore OWASP's Chat Playground, an interactive tool to test AI security, experiment with LLMs, and understand prompt injection attacks. https://jpmellojr.blogspot.com/2025/06/chat-playground-project-lets-security.html #OWASP #ChatPlayground #AISecurity

Owasp top 10 - parte 1

Hoje eu resolvi fazer o pacote owasp top 10 que está dentro do Tracks no hack the box. Para iniciar eu escolhi uma máquina com base na dificuldade, então a mais fácil parecia ser a sanitize.

1- Sanitize

Ao ligar vai instanciar a máquina e ao acessar o Ip, você verá uma tela de login:

Como não sabemos usuário nem nada, eu costumo colocar qualquer coisa só para ver o que acontece, nesse caso coloquei admin, admin, e retornou uma string sql:

Com isso ficou meio óbvio que é um sql injection.

Ao testar o mais padrão possível tivemos um erro:

ok, fui pesquisar um pouco sobre o sqlite3, e ao testar o Payload: ' or 1=1/* deu certo:

2- baby BoneChewerCon

Esse foi meio, meio, nada a dizer kk. Bom ao iniciar a instância você receberá um ip e porta, e ao acessar, teremos a seguinte página:

Ao digitar qualquer coisa e clicar no register me, teremos um erro:

E ao descer a página temos a flag:

É importante ler até o final.

3- Full Stack Conf

Ao acessar o ip e porta é engraçado que o nome é xss:

E temos a página:

Ao rodar a página até o final temos:

como ele fala, pop up an alert to get the flag, então ao colocar o payload: <script>alert("qualquercoisa")</script>

temos a flag:

Linkedin: Luana

htb: moominLua

Web Application Penetration Testing, API Application Security Testing | BlackLock

Looking to get Web Application Penetration Testing services in NZ? BlackLock offers API application penetration testing services. Contact us now!