Web App Sec

Millions of websites such as online news, blogs, e-commerce, banks, webmail, social networking and more utilize third-party hosted content on their webpages in the form of JavaScript, Adobe Flash, Microsoft Silverlight, HTML IFrames, and images. Often referred to as Web Widgets , common examples are banners (Google AdSense), search boxes (Yahoo), traffic counters (StatCounter), games (Pogo), videos (YouTube), Twitter / RSS feeds, user polls, security badges (VeriSign Secured Seal), social buttons (Facebook Like), etc.

Go here to see the original:
Third-Party Web Widget Security FAQ

Vulnerabilities in websites happen, especially the ever pervasive Cross-Site Scripting (XSS). Essentially every major website has had to deal with XSS vulnerabilities published publicly or otherwise

Follow this link:
Full-Disclosure, Our Turn

Earlier this month NPR’s Planet Money podcast had a session entitled, “ A War Between States And Corporations ,” where they interviewed Ian Bremmer (President, Eurasia Group). Mr. Bremmer is the author of The End of the Free Market: Who Wins the War Between States and Corporations

More:
In a cyber-war, we fight for economic well-being

Vulnerabilities identifiable in an automated fashion, such as with a scanner, can be loosely classified as “low-hanging fruit” (LHF) — issues easy, fast, and likely for bad guys to uncover and exploit. Cross-Site Scripting, SQL Injection, Information Leakage, and so on are some of the most typical forms of website LHF

View original post here:
The Low Hanging Fruit scanner strategy can get you into trouble

Recently on Twitter I asked why some people feel oddly compelled to rely upon the shortcomings of Web Application Firewalls (WAFs) as a means to advocate for a Secure Development Lifecycle (SDL). To me this is odd because the long-term, risk-reducing value provided by secure code is enough on its own to warrant the investment

Read more here:
anti-waf-software-security-only-zealotry

Nothing drives a business like customer demand. When customers say they want X or they’ll go with competition, well, you do it or risk losing their business

See more here:
Microsoft security IS “good enough” and that’s the problem

Developers are blissfully ignorant in knowing how insecure the code they write is. To overly simplify, an application security specialists job is to remove a developers bliss, their happiness. Happiness is not something a person will want to let go of willingly unless an equitable replacement is offered.

Follow this link:
Replacing Happiness with Pride (Rugged)

Fresh from the FS-ISAC conference in lovely St. Pete Florida, one predominate theme was that Financial Institutions must assume the client, their customers rather, are compromised (infected with malware) and they must continue doing business anyway. Given the threat landscape this a reasonable operating parameter.

See more here:
Ceding the desktop security battle, almost the war

No doubt many have noticed that I’ve been on a blogging hiatus. Between attending to literally life and death personal matters, an overwhelming work schedule, and taking some much needed time off — blogging was put on hold for a while

Read more from the original source:
Time to start blogging again…

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Apache Foundation Hit by Targeted XSS Attack + Internal investigation + Associated Atlassian breach CSRF Isn’t A Big Deal - Duh! Network Solutions Hack: Secure File Permissions Matter + Sucuri Analysis OWASP RFP Criteria Project IE 8 Security Features Could Be Turned Against Users + Slides & PoC Next-Generation Clickjacking Attacks Revealed + Tool Brokerage Firm Fined $375,000 for Unsecured Data Researcher Uncovers (Another) Major Facebook Security Exploit New Full Disclosure, Website Vulnerabilities Database Chrome Phishing 5 Reasons HTTPOnly won’t save you WhiteHat Security is a leading provider of website security services

Read more here:
Best of Application Security (Friday, Apr. 16)