Web App Security
CWE Top 25 Part 2 of 2
July 08, 2009
This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 2 of 2, covering the second 8 erorrs
Comments (1)
CWE TOP 25 Part 1 of 2
July 08, 2009
This is a powerpoint presentation given to the Raleigh ISSA Chapter earlier this spring. The NC OWASP chapter was invited to give this presentation. This is part 1 of 2, covering the first 9 errors on the list
Comments (0)
Federal Web sites knocked out by cyber attack
July 08, 2009 Added by:Michael Menefee
According to an article by the Assoiated Press, and subsequently the Washington Post, several Government agencies in the US and South Korea were under attack by roughly 60,000 infected PCs across the globe.
Comments (0)
From the Web
Cross Frame Scripting: Not Necessarily a Web Application Vulnerability
July 06, 2009 from: Writing Secure Software
Cross Frame Scripting (XFS) is a vulnerability that affects web applications that use frames in their web pages. Frames allow web pages to present the web content framed in different sections of the browser window...
Comments (0)
From the Web
Security Threat Statistics Resources
July 06, 2009 from: Writing Secure Software
Some good links to Threat Statistics.
Comments (0)
From the Web
Business Cases For Software Security Initaitives
July 06, 2009 from: Writing Secure Software
Building software security into the organization’s software engineering and information security practices is best accomplished by following software security maturity models (e.g. BSIMM or SAMM) as well as by adopting frameworks to build security in the SDLC. Software security frameworks integrate software security activities in the SDLC along with other organization information security pr...
Comments (1)
From the Web
Training development staff in secure coding practices pays huge dividends
July 03, 2009 from: The Oracle Global Product Security Blog
I am often asked what it takes to write secure code. In my experience, developers generally cannot prevent introducing security flaws in their code if they don’t know what to watch out for. It is also my experience that people generally, and developers in particular, want to do the right thing - but they need to know what the right thing is.
Comments (0)
From the Web
SANS Top 25 Most Dangerous Coding Errors
July 03, 2009 from: The Oracle Global Product Security Blog
Bruce Lowenthal, Director of the Oracle Security Alerts Group, discusses the SANS Top 25 Most Dangerous Programming Errors
Comments (0)
From the Web
Cross-Site Request Forgery – A Significant Threat to Web Applications
July 03, 2009 from: The Oracle Global Product Security Blog
Hi, this is Shaomin Wang. I am a security analyst in Oracle’s Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Cross-Site Request Forgery.
Comments (0)
From the Web
Mozilla’s Content Security Policy
July 01, 2009 from: Rsnake's blog at ha.ckers.org
Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous.
Comments (0)
Securing Apache
June 26, 2009
This is chapter 2 of Ivan Ristic's book on Apache Security. This chapter covers installation and configuration options often overlooked by admins, resulting in an insecure web server deployment
Comments (3)
From the Web
SQL Injection, eye of the storm
June 23, 2009 from: Jeremiah Grossman's Blog
In 2008 SQL Injection became the leading method of malware distribution, infecting millions of Web pages and foisting browser-based exploits upon unsuspecting visitors. The ramifications to online businesses include data loss, PCI fines, d...
Comments (0)
From the Web
Clickjacking 2017
June 23, 2009 from: Jeremiah Grossman's Blog
The future: Long standing Web application security scourges such SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) are finally under control. Remaining buffer overflow issues are considered fossilized evidence of a prior era. Cyber criminals out of necessity have evolved their attack portfolios to include Cli...
Comments (0)
From the Web
Real-World website vulnerability disclosure & patch timeline
June 23, 2009 from: Jeremiah Grossman's Blog
Protecting large trafficked and high valued websites can be an interesting InfoSec job to say the least. One thing you quickly learn is that you are under constant attack by essentially everyone with every technique they got and all the time.
Comments (0)
From the Web
8 reasons why website vulnerabilities are not fixed
June 23, 2009 from: Jeremiah Grossman's Blog
I list from Jeremiah Grossman about potentially why so many web application vulnerabilities never get fixed...
Comments (0)
From the Web
Legalize It (Hacking GOV and MIL website)
June 23, 2009 from: Jeremiah Grossman's Blog
I’d wager fewer than ten percent of United States .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities. The reasons why are probably the same as in the private sector. Those responsible don’t know or don’t want to know that problems exist.
Comments (0)
- Identity & Access Management: Give Me a REST
- Over-Sharing Riskier than Government Snooping
- 20 Critical Security Controls: Control 13 – Boundary Defense
- Redefining Social Networking
- Creating Your Own Privacy & ROI
- Security Intelligence for the Enterprise - Part 1
- Why are Cybercrimes NOT Always White-collar Crimes?
- From the SMB to Security Guru: Five Ways IT Pros Can Manage Security on a Budget
- Balancing Act Between Privacy and Security
- The NSA’s Word Games Explained: How the Government Deceived Congress in the Debate over Surveillance Powers