Latest Posts

From the Web
The Importance of Good Metrics
July 10, 2009 from: Mozilla Security Blog
Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities.
Comments (1)

From the Web
The Best of Application Security 2009 (Mid-Year)
July 09, 2009 from: Jeremiah Grossman's Blog
very year the application security industry receives a number of phenomenal research papers and other great contributions. Even for those dedicated to appsec as their primary job function it is challenging to stay up-to-date, which means resources to help track them become extremely valuable. As such Ivan Ristic and I have been working on the "The Bes...
Comments (1)

From the Web
The Most (Potentially) Lucrative Vulnerabilities
July 09, 2009 from: Jeremiah Grossman's Blog
I think few vulnerability researchers look for them, are unlikely to understand their potential value if found, and probably wouldn’t disclose them anyway. The vast majority of researchers focus on memory corruption issues, browser cross-domain leakage, custom Web application attacks, or flaws in online business logic processes
Comments (1)
Google to Build Malware Resistant OS
July 09, 2009 Added by:Infosec Island Admin
According to Google's official Blog, Google plans to extend their Google Chrome browser (considered by most security professionals to be the most insecure browser out there) into a lightweight operating system designed to primarily interact with web-enabled technologies.
Comments (2)

From the Web
Why vulnerable code should be fixed even after WAF mitigation
July 08, 2009 from: Jeremiah Grossman's Blog
Websites have vulnerabilities, vulnerabilities that are found by vulnerability assessment solutions, which are then communicated to Web Application Firewalls (WAF) for virtual patch mitigation. Given the extremely heightened activity of our adversaries, compliance requirements, volume of existing vulnerabilities, and money/time/human resource constraints this approach is becoming more common every...
Comments (1)
CWE Top 25 Part 2 of 2
July 08, 2009
This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 2 of 2, covering the second 8 erorrs
Comments (4)
CWE TOP 25 Part 1 of 2
July 08, 2009
This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 1 of 2, covering the first 9 errors on the list
Comments (1)
Federal Web sites knocked out by cyber attack
July 08, 2009 Added by:Infosec Island Admin
According to an article by the Assoiated Press, and subsequently the Washington Post, several Government agencies in the US and South Korea were under attack by roughly 60,000 infected PCs across the globe.
Comments (0)
Predictable Social Security Numbers
July 07, 2009 Added by:Infosec Island Admin
According to a story published by the Washington Post today, researchers at Carnegie Mellon University have found that your social security number could be determined just by knowing when and in what zip code you were born in.
Comments (0)

From the Web
Cross Frame Scripting: Not Necessarily a Web Application Vulnerability
July 06, 2009 from: Writing Secure Software
Cross Frame Scripting (XFS) is a vulnerability that affects web applications that use frames in their web pages. Frames allow web pages to present the web content framed in different sections of the browser window...
Comments (1)

From the Web
Security Threat Statistics Resources
July 06, 2009 from: Writing Secure Software
Some good links to Threat Statistics.
Comments (1)

From the Web
Identity Theft and Phishing and How Affects Financial Institutions
July 06, 2009 from: Writing Secure Software
In the USA, online fraud has overtaken viruses as the greatest source of financial loss. Among on-line fraud threats, phishing represents a major threat for financial institutions and according to the Anti-Phishing group organization, 93.8% of all phishing attacks in 2007 are targeting financial institutions.
Comments (1)

From the Web
Business Cases For Software Security Initaitives
July 06, 2009 from: Writing Secure Software
Building software security into the organization’s software engineering and information security practices is best accomplished by following software security maturity models (e.g. BSIMM or SAMM) as well as by adopting frameworks to build security in the SDLC. Software security frameworks integrate software security activities in the SDLC along with other organization information security pr...
Comments (1)

From the Web
The Evolution Of Common Criteria
July 03, 2009 from: The Oracle Global Product Security Blog
Hi, my name is Adam O’Brien. I help guide Oracle products through Common Criteria evaluations. Common Criteria is a worldwide, government-backed scheme for testing the security of a product or system. Essentially, you state what security functions your product should be able to perform, then an independent lab evaluates if the product implements these functions reliably and robustly.
Comments (1)

From the Web
April 2009 Critical Patch Update Released
July 03, 2009 from: The Oracle Global Product Security Blog
Are you running Oracle? Then you need to see this latest set of Critical Patches that could affect the security of your Oracle-backed applications
Comments (1)

From the Web
SANS Top 25 Most Dangerous Coding Errors
July 03, 2009 from: The Oracle Global Product Security Blog
Bruce Lowenthal, Director of the Oracle Security Alerts Group, discusses the SANS Top 25 Most Dangerous Programming Errors
Comments (1)

From the Web
Training development staff in secure coding practices pays huge dividends
July 03, 2009 from: The Oracle Global Product Security Blog
I am often asked what it takes to write secure code. In my experience, developers generally cannot prevent introducing security flaws in their code if they don’t know what to watch out for. It is also my experience that people generally, and developers in particular, want to do the right thing - but they need to know what the right thing is.
Comments (1)

From the Web
Cross-Site Request Forgery – A Significant Threat to Web Applications
July 03, 2009 from: The Oracle Global Product Security Blog
Hi, this is Shaomin Wang. I am a security analyst in Oracle’s Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Cross-Site Request Forgery.
Comments (1)

From the Web
Mysql security risk?
July 03, 2009 from: hackyourself.net
Michael McLaughlin discusses why using 'IDENTIFIED BY password' in MySQL is the new default behavior and why you should leave it that way.
Comments (1)

From the Web
Mozilla’s Content Security Policy
July 01, 2009 from: Rsnake's blog at ha.ckers.org
Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous.