Web App Sec

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Verizon Incident Metrics Framework Released Wiseguys net $25m in ticket scalping racket State of Software Security Report Internet Explorer 8 and the Security Development Lifecycle (SDL) Top 10 Hacks of 2009 and WAF Mitigations FTC alleges that ControlScan offered ‘little or no verification’ of site security or privacy I’m in ur 4sq, snarfin ur password — Part I Fifteen Common Activities from BSIMM2 Even if You Don’t Invent Your Own Crypto….It’s Still Hard Facebook founder Mark Zuckerberg ‘hacked into emails of rivals and journalists’ WhiteHat Security is a leading provider of website security services.

Link:
Best of Application Security (Friday, Mar. 5)

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Hitler and Cloud Computing Security Microsoft SDL Core Training Classes & Tools A Big Case of …OOPS… Customer-Induced FUD NT OBJECTives Response to the Larry Suto Report Web Security Dojo v1.0 & Watcher 1.3.0 release Online finance flaw: Ameriprise III Banks, Businesses, Viruses and the UCC Breaking Weak CAPTCHA in 26 Lines of Code Finding Input Validations flaws with Taint Checking WhiteHat Security is a leading provider of website security services.

Visit link:
Best of Application Security (Friday, Feb. 26)

My ” Infrastructure vs. Application Security Spending ” post must have struck a nerve. I’ve received a number of comments and emails where it’s clear many are grappling with the same organizational budgeting challenges.

See the original post here:
Compliance and Habit holding back Application Security

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Microsoft’s Many Eyeballs and the Security Development Lifecycle A Comparison of DBIR with UK breach report Infrastructure vs

More here:
Best of Application Security (Friday, Feb. 19)

This relates to my last post where Boaz Gelbord ( Security Scoreboard ), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their “risk-based approach” is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!?

Read more:
Hey Massachusetts, where is your application security requirement?

A recent study published by 7Safe, UK Security Breach Investigations Report , analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited ” (vs 14% infrastructure) and the attackers were predominately external (80%). These results are largely consistent with the US-based Verizon Data Breach Incident Report (2008) which tracks over 500 cases

See original here:
Infrastructure vs. Application Security Spending

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. A Lazy Pen Tester’s Guide to Testing Flash Applications Rock Beats Scissors, and People Beat Process Hacker threat forces DoH to close appraisal site Feds say dev’s ‘cookie-stuffer’ app fleeced eBay A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World Death of Product Reviews Are You Rugged?

Go here to see the original:
Best of Application Security (Friday, Feb. 12)

Last week Larry Suto published, “ Analyzing the Accuracy and Time Costs of Web Application Security Scanners ,” which reviewed desktop black box website vulnerability scanners: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service). This research was meant to build upon Larry’s initial October 2007 study of the market

See the original post here:
Where’s WhiteHat? Re: Scanner Comparisons

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Accuracy and Time Costs of Web Application Security Scanner Report The Web won’t be safe, let alone secure, unless we break it Why don’t websites default to SSL/TLS?

Go here to read the rest:
Best of Application Security (Friday, Feb. 5)

Any penetration tester would agree that pivot attacks, designed to compromise a secondary host to more effectively attack primary targets, are incredibly powerful. Organizations tend to have difficulty protecting all hosts at all times, which is why proper network segmentation is vital should loss of control occur on any one node. Often it’s easier to compromise a host from behind rather than head on

See the original post here:
Web 2.0 Pivot Attacks