This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:Application Security News"
From OWASP
| Line 1: | Line 1: | ||
| + | |||
| + | ; '''Sep 21 - [http://searchappsecurity.techtarget.com/originalContent/0,289142,sid92_gci1216994,00.html WAFs not dead says Burton]''' | ||
| + | : "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked." | ||
| + | |||
| + | ; '''Sep 21 - [http://www.uschamber.com/NR/rdonlyres/eyzkc6zyokejn5n64o7vpmgvqxyd7dodczrpuc5tpqzoinz5gq7mpy3puuct43h6cgtr4kf3hmpx6hugw5kiktflzyh/top_5_alert.pdf Visa: SQL injection confirmed as compromise leader]''' | ||
| + | : Visa has analyzed a their actual compromises and concluded that [[SQL injection]] is the most problematic application security problem. "A successful SQL injection attack can have serious consequences. SQL injection attacks can result in the crippling of the payment application or an entire e-commerce site." | ||
| + | |||
| + | ; '''Sep 21 - [http://www.zimbra.com/blog/archives/2006/09/securing_ajax.html Ajax more secure? Right.]''' | ||
| + | : This blog post argues "[[OWASP AJAX Project|Ajax]] applications can be made as highly-secure as the web technologies upon which the Ajax model is based." Even if that was the goal, it misses the point. The complexity and lack of tools for building and testing Ajax applications makes them ''far'' more difficult to assure. | ||
| + | |||
| + | ; '''Sep 21 - [http://www.marketwatch.com/news/story/story.aspx?guid=757B480B7BF64D068ED8D43AB42AC6FC&siteid=mktw&dist=nbk Fear of commitment]''' | ||
| + | : "According to a June 2006 survey of 400 U.S. based software developers that was commissioned by Symantec, an overwhelming 93 percent felt that secure application development was more of a priority now than three years ago. Also 70 percent indicated that their employers emphasize the importance of application security, 74 percent indicated that security was a high priority in their development process, yet only 29 percent stated that security was always part of the development process." | ||
| + | |||
; '''Sep 17 - [http://www.attrition.org/pipermail/vim/attachments/20060914/42b97c1d/attachment-0001.obj The data are in]''' | ; '''Sep 17 - [http://www.attrition.org/pipermail/vim/attachments/20060914/42b97c1d/attachment-0001.obj The data are in]''' | ||
: Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and [http://news.zdnet.co.uk/internet/security/0,39020375,39283373,00.htm conclude] that browsers are the biggest problem, you need to check it again. | : Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and [http://news.zdnet.co.uk/internet/security/0,39020375,39283373,00.htm conclude] that browsers are the biggest problem, you need to check it again. | ||
| + | |||
| + | ; '''Sep 15 - [http://www.securityfocus.com/news/11413 Web flaws race ahead in 2006]''' | ||
| + | : "Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project." | ||
; '''Sep 14 - [http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9003204 Gartner says 'customize at your own risk']''' | ; '''Sep 14 - [http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9003204 Gartner says 'customize at your own risk']''' | ||
: "Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you." | : "Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you." | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
; [[Application Security News|Older news...]] | ; [[Application Security News|Older news...]] | ||
Revision as of 15:47, 21 September 2006
- Sep 21 - WAFs not dead says Burton
- "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked."
- Sep 21 - Visa: SQL injection confirmed as compromise leader
- Visa has analyzed a their actual compromises and concluded that SQL injection is the most problematic application security problem. "A successful SQL injection attack can have serious consequences. SQL injection attacks can result in the crippling of the payment application or an entire e-commerce site."
- Sep 21 - Ajax more secure? Right.
- This blog post argues "Ajax applications can be made as highly-secure as the web technologies upon which the Ajax model is based." Even if that was the goal, it misses the point. The complexity and lack of tools for building and testing Ajax applications makes them far more difficult to assure.
- Sep 21 - Fear of commitment
- "According to a June 2006 survey of 400 U.S. based software developers that was commissioned by Symantec, an overwhelming 93 percent felt that secure application development was more of a priority now than three years ago. Also 70 percent indicated that their employers emphasize the importance of application security, 74 percent indicated that security was a high priority in their development process, yet only 29 percent stated that security was always part of the development process."
- Sep 17 - The data are in
- Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and conclude that browsers are the biggest problem, you need to check it again.
- Sep 15 - Web flaws race ahead in 2006
- "Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project."
- Sep 14 - Gartner says 'customize at your own risk'
- "Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you."
