There are several security issues affecting all major Web browsers that have remained unaddressed for years (probably because the bad guys haven’t leveraged them aggressively enough, but the potential is there). The problem is that the only known ways to fix these issues (adequately) is to “break the Web” — i.e. negatively impact the usability of a significant and unacceptable percentage of websites

Read more:
The Web won’t be safe, let alone secure, unless we break it

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Top Ten Web Hacking Techniques of 2009 (Official) Default https access for Gmail new static analyzer from Google Purported Interview With Facebook Employee Details Use Of ‘Master Password’ Software testing firm says no to responsible disclosure Web-based systems vs

View original post here:
Best of Application Security (Friday, Jan. 15)

Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between.

More:
Top Ten Web Hacking Techniques of 2009 (Official)

As reported by Reuters and the BBC, the official website set up by the Spanish government to mark it’s six-month presidency of the EU was briefly compromised yesterday afternoon. Image Courtesy of El Mundo   Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es  and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr

Excerpt from:
Mr Bean comes out of retirement, takes over Spain

Just 2 weeks left in 2009. Time to start collecting all the latest published research in preparation for the coveted Top Ten Web Hacking Techniques list! Every year Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc.

Excerpt from:
Attention security researchers! Submit your new 2009 Web Hacking Techniques

UPDATE : At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

Continued here:
A whole new meaning to Phishing.

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Regularly released until year end

Continued here:
Best of Application Security (Friday, Oct. 30)

Today a large percentage of security professionals truly “get” application security. They understand the importance, the best-practices, the value, etc. What inhibits their success the most in building an effective application security program is a lack of buy-in from the business and support from development groups

Read the original here:
Overcoming Objections to an Application Security Program