|
|
| (13 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| − | <!-- please add stories to the main Application Security News page --> | + | <IfLanguage Is="en"> |
| | + | This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources. |
| | + | </IfLanguage> |
| | + | <IfLanguage Is="es"> |
| | + | Estas noticias son moderadas por OWASP y mostrarán publicaciónes de alta calidad enfocadas en seguridad de aplicaciones de avanzada, proveen razonamiento profundo o son recursos educativos útiles. |
| | + | </IfLanguage> |
| | | | |
| − | ; '''Apr 21 - [http://www.enterprisenetworkingplanet.com/netsecur/article.php/3673056 Does first Vista 0day undermine SDL?]'''
| + | <owaspfeed/> |
| − | : Ken van Wyk discusses the importance of process for producing secure software, and notes that attacks on Vista may undermine the general support for Microsoft's approach. Check out Michael Howard's [http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt talk] from the last OWASP conference for a great discussion on the success of the SDL.
| |
| − | | |
| − | ; '''Apr 19 - [http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419?currentPage=all Why the software market is full of lemons]'''
| |
| − | : Bruce Schneier finally chimes in on an [[http://www.aspectsecurity.com/documents/Aspect_HCSS_Unsafe_At_Any_Speed.ppt old OWASP theme]] - the problem of assymetric information between software buyers and sellers. He only talks about security products, but the same problem affects all types of software. Check the [[http://www.owasp.org/index.php/Types_of_application_security_metrics Software Facts Label] which is an idea for actually doing something to change the game.
| |
| − | | |
| − | ; '''Apr 10 - [http://www.csoonline.com/alarmed/?source=nlt_csoupdate "There is no hope"]'''
| |
| − | : Despite all the good stuff at OWASP, Scott Berinato is giving up. "No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too."
| |
| − | | |
| − | ; '''Mar 15 - [http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx local IE 7 phishing hole]'''
| |
| − | :Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a [http://news.com.com/2100-1002_3-6167410.html?part=rss&tag=2547-1_3-0-20&subj=news story].
| |
| − | | |
| − | ; '''Mar 14 - [http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/ GMail Information Disclosure]'''
| |
| − | :Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
| |
| − | | |
| − | ; '''Mar 8 - [http://myappsecurity.blogspot.com/search/label/reflection Anurag Agarwal's reflection series]'''
| |
| − | :Anurag Agarwal maintains an interesting [http://myappsecurity.blogspot.com/ blog] on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!
| |
| − | | |
| − | ; [[Application Security News|Older news...]]
| |
This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.
