This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Template:Application Security News"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
; '''Oct 15 - [http://link RSnake says IE7 sucks less for XSS]'''
 +
: Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"
 +
 
; '''Oct 15 - [http://www.csoonline.com.au/index.php/id;116770232;fp;16;fpid;0 AppSec like global warming...]'''
 
; '''Oct 15 - [http://www.csoonline.com.au/index.php/id;116770232;fp;16;fpid;0 AppSec like global warming...]'''
 
: You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow [[cross-site scripting]] (14.5 percent), [[SQL injection]] (10.9 percent); [[buffer overflows]] (10.8 percent) and Web directory [[path traversal]] (3 percent).
 
: You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow [[cross-site scripting]] (14.5 percent), [[SQL injection]] (10.9 percent); [[buffer overflows]] (10.8 percent) and Web directory [[path traversal]] (3 percent).
Line 10: Line 13:
 
; '''Oct 3 - [http://shiflett.org/archive/267 crossdomain.xml witch hunt]'''  
 
; '''Oct 3 - [http://shiflett.org/archive/267 crossdomain.xml witch hunt]'''  
 
: crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."
 
: crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."
 
; '''Oct 2 - [http://searchappsecurity.techtarget.com/originalContent/0,289142,sid92_gci1219789,00.html Static analysis - an important part of a balanced breakfast]'''
 
: "The fact that we can say we do a code review as part of our development process gives [customers] comfort, and it demonstrates the maturity of our risk management process when it comes to code, and the fact that it's part of our overall program."
 
 
; '''Oct 2 - [http://www-128.ibm.com/developerworks/java/library/j-fuzztest.html Fuzz testing in Java]'''
 
: "Of course, error handling and verification is ugly, annoying, inconvenient, and thoroughly despised by programmers the world over. Sixty years into the computer age, we still aren't checking basic things like the success of opening a file or whether memory allocation succeeds. Asking programmers to test each byte and every invariant when reading a file seems hopeless -- but failing to do so leaves your programs vulnerable to fuzz."
 
 
; '''Oct 2 - [http://www.newsobserver.com/104/story/493117.html Data breaches reaching ridiculous levels]'''
 
: "Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."
 
 
; '''Sep 26 - [http://www.nytimes.com/2006/09/27/technology/circuits/27goog.html Google hacking makes the NYT]'''
 
: "Google acknowledges that its index can be misused. “Search engines reflect what is on the Web,” said Barry Schnitt, a Google spokesman. “We still work to try to prevent and stop exploits and encourage Webmasters to employ best practices and effective security for their Web sites.” On Google’s site you can find tips on how to remove sensitive data from its index, for example."
 
 
; '''Sep 21 - [http://searchappsecurity.techtarget.com/originalContent/0,289142,sid92_gci1216994,00.html WAFs not dead says Burton]'''
 
: "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked."
 
  
 
; [[Application Security News|Older news...]]
 
; [[Application Security News|Older news...]]

Revision as of 02:40, 16 October 2006

Oct 15 - RSnake says IE7 sucks less for XSS
Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"
Oct 15 - AppSec like global warming...
You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow cross-site scripting (14.5 percent), SQL injection (10.9 percent); buffer overflows (10.8 percent) and Web directory path traversal (3 percent).
Oct 6 - Ajax is FUD-tastic
News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need guidelines and more research, not more FUD.
Oct 3 - CSRF, the sleeping giant
"Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness." (Ed: We're revising the Top 10 for 2007 - feel free to come join us!)
Oct 3 - crossdomain.xml witch hunt
crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."
Older news...
Retrieved from "https://wiki.owasp.org/index.php?title=Template:Application_Security_News&oldid=10668"