Isaac Dawson

Isaac Dawson is a Senior Security Research at Veracode, where he researches attacks and methods for creating a next generation application security scanner. This cutting edge research has led to advancements in Veracode’s automated web scanner’s ability to identify and exploit security issues. He has developed numerous internal systems containing thousands of variations of web vulnerabilities for use in ensuring the greatest amount of scanner coverage.
Posts by Isaac Dawson

Security Headers on the Top 1,000,000 Websites: November 2015 Report

November 3, 2015  | Research

It has been over a year since the last analysis on security headers was run. The current state of security header usage will be presented along with a differential analysis of the previous run from October 2014. While no architectural changes to the scanner were made this time, this will be the last run done with this code base.  A new scanner is currently under development to gain more... READ MORE

AngularJS Expression Security Internals

June 25, 2015  | Research

Introduction: As part of my research duties I tasked myself with becoming more familiar with the newer MVC frameworks, the most interesting one was AngularJS. I wanted to share with everyone my process for analyzing the expression functionality built in to AngularJS as I feel it's a pretty interesting and unique code base. AngularJS exposes an expression language that exposes a limited set of... READ MORE

Security Headers on the Top 1,000,000 Websites: October 2014 Report

October 22, 2014

The October 2014 edition of this report adds back the much needed analysis of changes, additions and removals of security headers. These are important metrics as it allows us to gain insight into how web site operators are reacting to the changes of their web resources. Now that we have a previous report to compare against, we can once again generate these statistics and do a full analysis. As... READ MORE

Security Headers on the Top 1,000,000 Websites: March 2014 Report

March 14, 2014  | Research

The March 2014 report is going to be a bit different than those in the past. This is primarily due to architectural changes that were made to get more precise data in less time. Additionally, a lot of work has been done to automate generation of these reports so they can be released more often. Our scan was run on March 5th 2014 using the latest input from the Alexa Top 1 Million.... READ MORE

Guidelines for Setting Security Headers

March 12, 2014  | Research 4

As part of our Alexa Top 1 Million Security Headers post series(Nov 2012 - Mar 2013 - Nov 2013,) it is not uncommon to have to go back and re-read specifications to determine which header values are valid. While there are numerous sites that detail the various headers and what they do, there isn't a central place that gives developers the information necessary to identify common mis-... READ MORE

Golang's Context Aware HTML Templates

December 6, 2013  | 4

Golang is a new open source programming language that is growing in popularity. Since I am getting bored of Python, I decided to begin studying it. While I'm really enjoying it as a language, I was completely caught off guard when I started reading about Golang's built in HTML templating package. I noticed in their documentation they are doing context based encoding. Not only that, it is all done... READ MORE

Security Headers on the Top 1,000,000 Websites: November 2013 Report

November 26, 2013

It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. Out of the 2,589,918 responses we had over 100,000 distinct... READ MORE

Security Headers on the Top 1,000,000 Websites: March 2013 Report

March 26, 2013  | 8

Back in November 2012 I did Veracode’s initial release of a security headers report on the top 1 million websites from the Alexa list. My goal was to turn it into a series so it would be possible to track how these sites change over time in regards to security headers that are added, removed or changed. For this recent scan, only a single change was made to the original scripts. The tool now... READ MORE

Security Headers on the Top 1,000,000 Websites

November 6, 2012  | 15

I would like to share with you all the results of my scan and review of the Alexa Top 1,000,000 Sites HTTP response headers as they relate to security. I was mostly curious about which sites were using Content Security Policy (CSP) but ended up becoming more interested in all of the various modern day security headers that sites specify. The results were pretty impressive and I certainly learned... READ MORE

Broken Logic: Avoiding the Test Site Fallacy

May 29, 2012

Web security scanners are one tool in the arsenal of any organization that takes security seriously. The ability of automation to rapidly test and verify that an application meets a reasonable standard of security is a key advantage. While manual testing can never be completely removed from the process, automated tools are critical in reducing the amount of time spent on repetitive tasks. In some... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.