Web App Sec

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution Three Steps to a Rational Security Budget Hackvertor and JSReg Multiple DOM-Based XSS in Dojo Toolkit SDK Weak security ID questions put e-mail at risk XSS demo for stealing passwords from the Firefox password manager …because you can’t get enough of clickjacking A gentle introduction to return-oriented programming Facebook Adds Code for Clickjacking Prevention Notes Richard Bejtlich OWASP Podcast WhiteHat Security is a leading provider of website security services.

View original post here:
Best of Application Security (Friday, Mar. 12)

Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager. Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks.

Here is the original post:
Password Managers, is this the best option user’s have?

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Verizon Incident Metrics Framework Released Wiseguys net $25m in ticket scalping racket State of Software Security Report Internet Explorer 8 and the Security Development Lifecycle (SDL) Top 10 Hacks of 2009 and WAF Mitigations FTC alleges that ControlScan offered ‘little or no verification’ of site security or privacy I’m in ur 4sq, snarfin ur password — Part I Fifteen Common Activities from BSIMM2 Even if You Don’t Invent Your Own Crypto….It’s Still Hard Facebook founder Mark Zuckerberg ‘hacked into emails of rivals and journalists’ WhiteHat Security is a leading provider of website security services.

Link:
Best of Application Security (Friday, Mar. 5)

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Hitler and Cloud Computing Security Microsoft SDL Core Training Classes & Tools A Big Case of …OOPS… Customer-Induced FUD NT OBJECTives Response to the Larry Suto Report Web Security Dojo v1.0 & Watcher 1.3.0 release Online finance flaw: Ameriprise III Banks, Businesses, Viruses and the UCC Breaking Weak CAPTCHA in 26 Lines of Code Finding Input Validations flaws with Taint Checking WhiteHat Security is a leading provider of website security services.

Visit link:
Best of Application Security (Friday, Feb. 26)

My ” Infrastructure vs. Application Security Spending ” post must have struck a nerve. I’ve received a number of comments and emails where it’s clear many are grappling with the same organizational budgeting challenges.

See the original post here:
Compliance and Habit holding back Application Security

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Microsoft’s Many Eyeballs and the Security Development Lifecycle A Comparison of DBIR with UK breach report Infrastructure vs

More here:
Best of Application Security (Friday, Feb. 19)

This relates to my last post where Boaz Gelbord ( Security Scoreboard ), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their “risk-based approach” is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!?

Read more:
Hey Massachusetts, where is your application security requirement?

A recent study published by 7Safe, UK Security Breach Investigations Report , analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited ” (vs 14% infrastructure) and the attackers were predominately external (80%). These results are largely consistent with the US-based Verizon Data Breach Incident Report (2008) which tracks over 500 cases

See original here:
Infrastructure vs. Application Security Spending

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. A Lazy Pen Tester’s Guide to Testing Flash Applications Rock Beats Scissors, and People Beat Process Hacker threat forces DoH to close appraisal site Feds say dev’s ‘cookie-stuffer’ app fleeced eBay A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World Death of Product Reviews Are You Rugged?

Go here to see the original:
Best of Application Security (Friday, Feb. 12)

Last week Larry Suto published, “ Analyzing the Accuracy and Time Costs of Web Application Security Scanners ,” which reviewed desktop black box website vulnerability scanners: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service). This research was meant to build upon Larry’s initial October 2007 study of the market

See the original post here:
Where’s WhiteHat? Re: Scanner Comparisons