This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:Application Security News"
From OWASP
| Line 1: | Line 1: | ||
<!-- please add stories to the main Application Security News page --> | <!-- please add stories to the main Application Security News page --> | ||
| + | |||
| + | ; '''Apr 21 - [http://www.enterprisenetworkingplanet.com/netsecur/article.php/3673056 Does first Vista 0day undermine SDL?]''' | ||
| + | : Ken van Wyk discusses the importance of process for producing secure software, and notes that attacks on Vista may undermine the general support for Microsoft's approach. Check out Michael Howard's [http://www.owasp.org/index.php/Image:OWASPAppSec2006Seattle_SecurityEngineeringInVista.ppt talk] from the last OWASP conference for a great discussion on the success of the SDL. | ||
| + | |||
| + | ; '''Apr 19 - [http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419?currentPage=all Why the software market is full of lemons]''' | ||
| + | : Bruce Schneier finally chimes in on an [[http://www.aspectsecurity.com/documents/Aspect_HCSS_Unsafe_At_Any_Speed.ppt old OWASP theme]] - the problem of assymetric information between software buyers and sellers. He only talks about security products, but the same problem affects all types of software. Check the [[http://www.owasp.org/index.php/Types_of_application_security_metrics Software Facts Label] which is an idea for actually doing something to change the game. | ||
| + | |||
| + | ; '''Apr 10 - [http://www.csoonline.com/alarmed/?source=nlt_csoupdate "There is no hope"]''' | ||
| + | : Despite all the good stuff at OWASP, Scott Berinato is giving up. "No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too." | ||
; '''Mar 15 - [http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx local IE 7 phishing hole]''' | ; '''Mar 15 - [http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx local IE 7 phishing hole]''' | ||
| Line 9: | Line 18: | ||
; '''Mar 8 - [http://myappsecurity.blogspot.com/search/label/reflection Anurag Agarwal's reflection series]''' | ; '''Mar 8 - [http://myappsecurity.blogspot.com/search/label/reflection Anurag Agarwal's reflection series]''' | ||
:Anurag Agarwal maintains an interesting [http://myappsecurity.blogspot.com/ blog] on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years! | :Anurag Agarwal maintains an interesting [http://myappsecurity.blogspot.com/ blog] on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years! | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
; [[Application Security News|Older news...]] | ; [[Application Security News|Older news...]] | ||
Revision as of 18:21, 23 April 2007
- Apr 21 - Does first Vista 0day undermine SDL?
- Ken van Wyk discusses the importance of process for producing secure software, and notes that attacks on Vista may undermine the general support for Microsoft's approach. Check out Michael Howard's talk from the last OWASP conference for a great discussion on the success of the SDL.
- Apr 19 - Why the software market is full of lemons
- Bruce Schneier finally chimes in on an [old OWASP theme] - the problem of assymetric information between software buyers and sellers. He only talks about security products, but the same problem affects all types of software. Check the [Software Facts Label which is an idea for actually doing something to change the game.
- Apr 10 - "There is no hope"
- Despite all the good stuff at OWASP, Scott Berinato is giving up. "No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too."
- Mar 15 - local IE 7 phishing hole
- Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.
- Mar 14 - GMail Information Disclosure
- Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
- Mar 8 - Anurag Agarwal's reflection series
- Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!
