This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Template:Application Security News
From OWASP
- Aug 22 - Nifty approach to rich Java client testing
- "The BeanShell provides a convenient means of inspecting and manipulating a Java application during execution. This allows the security tester to bypass security controls on the client and verify the security controls on the server. It also allows for the automation of tedious tests such as brute force testing."
- Aug 15 - Yes, you have an XSS problem
- The Washington Post lists flaws in sites from Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, National Security Agency, etc... If you're not sure whether you have XSS problems or not, you probably do. You're compromising your customer's accounts and data. Should the Post be publishing live exploits? We don't think so.
- Aug 14 - Ajax threat coming fast
- "We've gone from kids screwing around to criminals looking for ways to make money in less than eight months...Imagine when the same flaws are used to steal money from financial institutions"
- Aug 11 - HSBC 'vulnerability' all smoke no fire
- "I was put at ease the moment I saw that each article was hinting at the researchers having made an assumption that every target has been infected with a keylogger. A bit of an unreasonable assumption if you ask me, and I think at this point it stops being "news" however the vulnerability is quite interesting..."
- Aug 9 - ModSecurity rocks WAF competition
- "In the Forrester report ModSecurity was recognized as "the most widely deployed web application firewall," with thousands of installations worldwide."
- Aug 2 - Michael Howard's code review process
- Michael recommends prioritizing, but strangely doesn't use threat modeling as a way to do it. Still, a great article because... "No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option."
- Jul 31 - PCI revisions - code review is coming
- "...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.
