- OWASP Top Ten 2010 and The Principles of Secure Development
- Major IE8 flaw makes 'safe' sites unsafe & NoScript author's response
- DNS Rebinding for Scraping and Spamming
- Reversing JavaScript Shellcode: A Step By Step How-To
- Brute-Forcing Compatibility
- Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
- OWASP Board - Election Results
- Announcing ModSecurity Handbook
- ESAPI Web Application Firewall released!
- OWASP Top Ten and ESAPI & Part 2
Friday, November 20, 2009
Best of Application Security (Friday, Nov. 20)
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
Friday, November 13, 2009
Best of Application Security (Friday, Nov. 13)
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
- OWASP Top 10 (2010 release candidate 1)
- Flash Origin Policy Issues and FAQ
- Microsoft to release security guidelines for Agile
- WhiteHat Security 8th Website Security Statistics Report Edit Presentation
- Securely deploying cross-domain policy files
- Vulnerability assessment integration with web application firewalls
- ModSecurity Core Rule Set (CRS) <-> PHPIDS Smoketest
- Website Vulnerability Assessment Q4 2009 (EMA Radar Report™ Summary)
- Facebook groups hacked through design flaw
- Microsoft Tries To Censor Bing Vulnerability
OWASP Top 10 (2010 release candidate 1)
The newest version of the OWASP Top 10, the Top 10 Most Critical Web Application Security Risks, has been made available as a release candidate! This project is extraordinarily meaningful to the application security industry as it exercises influence over PCI-DSS, global policy, developer awareness, and product direction. Notable changes were made from the 2007 version to assist organizations in visualizing, understanding, and solving these issues. Now is the time for the application security community to send in their feedback to make the list the best we possibly can by the end of the year when it will be ratified.
Download: presentation (ppt) and the complete document (pdf)
"Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications.
For each top 10 item, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk, and then presents guidance on how to verify whether you have this problem, how to avoid this problem, some example flaws in that area, and pointers to links with more information.
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas – a great start to your secure coding security program."
Download: presentation (ppt) and the complete document (pdf)
"Welcome to the OWASP Top 10 2010! This significant update presents a more concise, risk focused list of the Top 10 Most Critical Web Application Security Risks. The OWASP Top 10 has always been about risk, but this update makes this much more clear than previous editions, and provides additional information on how to assess these risks for your applications.
For each top 10 item, this release discusses the general likelihood and consequence factors that are used to categorize the typical severity of the risk, and then presents guidance on how to verify whether you have this problem, how to avoid this problem, some example flaws in that area, and pointers to links with more information. 
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic methods to protect against these high risk problem areas – a great start to your secure coding security program."
Friday, November 06, 2009
Best of Application Security (Friday, Nov. 6)
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
- Another fine method to exploit SQL Injection and bypass WAF
- Security and Facebook Platform
- When Is More Important Than Where in Web Application Security
- Apple - XSS Attack
- Cross-subdomain Cookie Attacks
- PILOT: Production in lieu of testing (AgoraCart FAIL)
- Facebook and MySpace security: backdoor wide open, millions of accounts exploitable
- SSL and TLS Authentication Gap vulnerability discovered
- Using Blended Browser Threats involving Chrome to steal files on your computer
- LinkedIN With 'Bill Gates'
Friday, October 30, 2009
Best of Application Security (Friday, Oct. 30)
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
- Detecting Malice eBook
- Black Box vs White Box. You are doing it wrong.
- The Barack Obama Donations Site was Hacked…err, no it wasn’t.
- New Q3'09 malware data, and the Dasient Infection Library
- Infrastructure fingerprinting via XSS
- DNS Rebinding in Firefox
- Output Validation using the OWASP ESAPI
- Google Wave as a Tool for Hacking
- Announcing the release of the Enhanced Mitigation Evaluation Toolkit
- Asset Valuation (couldn't settle on just one):
Wednesday, October 28, 2009
Black Box vs White Box. You are doing it wrong.
A longstanding debate in Web application security, heck all of application security, is which software testing methodology is the best -- that is -- the best at finding the most vulnerabilities. Is it black box (aka: vulnerability assessment, dynamic testing, run-time analysis) or white box (aka: source code review, static analysis)? Some advocate that a combination of the two will yield the most comprehensive results. Indeed, they could be right. Closely tied into the discussion is the resource (time, money, skill) investment required, because getting the most security bang for the buck is obviously very important.
In my opinion, choosing between application security testing methodologies based upon a vulnerabilities-per-dollar metric is a mistake. They are not substitutes for each other, especially in website security. The reasons for choosing one particular testing methodology over the other are very different. Black and white box testing measure very different things. Identifying vulnerabilities should be considered a byproduct of the exercise, not the goal. When testing is properly conducted, the lack or reduction of discovered vulnerabilities demonstrates improvement of the organization, not the diminished value of the prescribed testing process.
If you reached zero vulnerabilities (unlikely), would it be a good idea to stop testing? Of course not.
Black box vulnerability assessments measure the hackability of a website given an attacker with a certain amount of resources, skill, and scope. We know that bad guys will attack essentially all publicly facing websites at some point in time, so it makes sense for us to learn about the defects before they do. As such, black box vulnerability assessments are best defined as an outcome based metric for measuring the security of a system with all security safeguards in place.
White box source code reviews, on the other hand, measure and/or help reduce the number of security defects in an application resulting from the current software development life-cycle. In the immortal words of Michael Howard regarding Microsoft’s SDL mantra, “Reduce the number of vulnerabilities and reduce the severity of the bugs you miss.” Software has bugs, and that will continue to be the case. Therefore it is best to minimize them to the extent we can in effort to increase software assurance.
Taking a step back, you might reasonably select a particular product/service using vulns-per-dollar as one of the criteria, but again, not the testing methodology itself. Just as you wouldn’t compare the value of network pen-testing against patch management, firewalls against IPS, and so on. Understanding first what you want to measure should be the guide to testing methodology selection.
In my opinion, choosing between application security testing methodologies based upon a vulnerabilities-per-dollar metric is a mistake. They are not substitutes for each other, especially in website security. The reasons for choosing one particular testing methodology over the other are very different. Black and white box testing measure very different things. Identifying vulnerabilities should be considered a byproduct of the exercise, not the goal. When testing is properly conducted, the lack or reduction of discovered vulnerabilities demonstrates improvement of the organization, not the diminished value of the prescribed testing process.
If you reached zero vulnerabilities (unlikely), would it be a good idea to stop testing? Of course not.
Black box vulnerability assessments measure the hackability of a website given an attacker with a certain amount of resources, skill, and scope. We know that bad guys will attack essentially all publicly facing websites at some point in time, so it makes sense for us to learn about the defects before they do. As such, black box vulnerability assessments are best defined as an outcome based metric for measuring the security of a system with all security safeguards in place.
White box source code reviews, on the other hand, measure and/or help reduce the number of security defects in an application resulting from the current software development life-cycle. In the immortal words of Michael Howard regarding Microsoft’s SDL mantra, “Reduce the number of vulnerabilities and reduce the severity of the bugs you miss.” Software has bugs, and that will continue to be the case. Therefore it is best to minimize them to the extent we can in effort to increase software assurance.
Taking a step back, you might reasonably select a particular product/service using vulns-per-dollar as one of the criteria, but again, not the testing methodology itself. Just as you wouldn’t compare the value of network pen-testing against patch management, firewalls against IPS, and so on. Understanding first what you want to measure should be the guide to testing methodology selection.
Friday, October 23, 2009
Best of Application Security (Friday, Oct. 23)
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
- The real cost of software security
- Porn, CSS History Hacking, User Recon and Blackmail
- Information Asset Value: Some Cold-Hearted Calculations
- How to Value Digital Assets (Web Sites, etc.)
- Happy 900 and RSnakes on a Plane!
- Hacking Crazy Taxi
- We've been blind to attacks on our Web sites
- First Impressions on Security in Google Wave
- OWASP Podcast #46 Luca Carettoni and Stefano Di Paola (HTTP Parameter Pollution)
- Web Protection Library – CTP Release Coming Soon
Sunday, October 18, 2009
Best of Application Security (Friday, Oct. 16)
Note: Delayed due to travel requirements.
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!
- OWASP Podcast #44 Interview with Andy Steingruebl
- Cross-Domain Security
- (WASC) Web Application Security Statistics 2008
- Adoption of X-FRAME-OPTIONS header
- Integrating WAFs And Vulnerability Scanners
- Regular Expressions – the secure developers best friend
- Sneaky Microsoft plug-in puts Firefox users at risk
- The Month of Facebook Bugs Report
- Transport Layer Protection Cheat Sheet
- What Security Means to a Healthcare CIO
Subscribe to:
Posts (Atom)
Posts
