This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:Application Security News"
From OWASP
| Line 3: | Line 3: | ||
: Comment or "Quote" | : Comment or "Quote" | ||
--> | --> | ||
| + | |||
| + | ; '''Aug 2 - [http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&TheCat=1001&path=security/2006/v4n4&file=basic.xml Michael Howard's code review process]''' | ||
| + | : Michael recommends prioritizing, but strangely doesn't use [[threat modeling]] as a way to do it. Still, a great article because... "No one really likes [[:Category:OWASP Code Review Project|reviewing source code]] for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option." | ||
; '''Jul 31 - [http://www.newsfactor.com/story.xhtml?story_id=121003Y635KX&page=3 PCI revisions - code review is coming]''' | ; '''Jul 31 - [http://www.newsfactor.com/story.xhtml?story_id=121003Y635KX&page=3 PCI revisions - code review is coming]''' | ||
| Line 12: | Line 15: | ||
; '''Jul 28 - [http://www.f-secure.com/weblog/archives/archive-072006.html#00000930 Web application worms]''' | ; '''Jul 28 - [http://www.f-secure.com/weblog/archives/archive-072006.html#00000930 Web application worms]''' | ||
: "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities." | : "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities." | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
; [[Application Security News|Older news...]] | ; [[Application Security News|Older news...]] | ||
Revision as of 16:17, 3 August 2006
- Aug 2 - Michael Howard's code review process
- Michael recommends prioritizing, but strangely doesn't use threat modeling as a way to do it. Still, a great article because... "No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option."
- Jul 31 - PCI revisions - code review is coming
- "...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.
- Jul 28 - Major JavaScript vulnerabilty documented
- "SPI Dynamics has published documentation and a live exploit of a significant javascript flaw. This appears to be a fundemental flaw in the scripting language and it impacts at least all IE browsers."
- Jul 28 - Web application worms
- "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."
