This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Template:Application Security News"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
; '''Sep 1 - [http://www.darkreading.com/document.asp?doc_id=109150
 +
Don't blame the browser]'''
 +
: Client side applications are all intertwined, and a flaw in one may compromise the rest. But don't forget the web applications!
 +
 
; '''Oct 25 - [http://www.computerweekly.com/Articles/2006/10/23/219377/Microsoft+takes+Vista+security+to+a+new+level+using.htm Michael Howard's advice from OWASP AppSec Conference]'''
 
; '''Oct 25 - [http://www.computerweekly.com/Articles/2006/10/23/219377/Microsoft+takes+Vista+security+to+a+new+level+using.htm Michael Howard's advice from OWASP AppSec Conference]'''
 
: Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the [[OWASP_AppSec_Seattle_2006/Agenda|conference page]]
 
: Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the [[OWASP_AppSec_Seattle_2006/Agenda|conference page]]
Line 7: Line 11:
 
; '''Oct 19 - [http://msdn.microsoft.com/msdnmag/issues/06/11/default.aspx MSDN Magazine AppSec Issue]'''
 
; '''Oct 19 - [http://msdn.microsoft.com/msdnmag/issues/06/11/default.aspx MSDN Magazine AppSec Issue]'''
 
: Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks
 
: Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks
 
; '''Oct 19 - [http://news.com.com/Netflix+fixes+Web+2.0+bugs/2100-1002_3-6126438.html?tag=cd.lede Netflix hit with CSRF - who's next?]'''
 
: All you did was load a web page - how did that add movies to my Netflix account? [[Cross-Site Request Forgery]] attacks are usually as simple as image links to another site. If you're logged in, the attack succeeds. Netflix got burned, but many sites are susceptible to this attack.
 
 
; '''Oct 17 - [http://www.businessweek.com/technology/content/sep2006/tc20060926_175459.htm?chan=top+news_top+news+index Bill Joy gets religion]'''
 
: Welcome Bill! "Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code-the software's blueprint-for security flaws, thereby vastly improving overall security."
 
 
; '''Oct 17 - [http://www.securityfocus.com/columnists/334 Marcus Ranum disses IPv6]'''
 
: "IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks."
 
 
; '''Oct 15 - [http://link RSnake says IE7 sucks less for XSS]'''
 
: Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"
 
  
 
; [[Application Security News|Older news...]]
 
; [[Application Security News|Older news...]]

Revision as of 17:01, 5 November 2006

Sep 1 - [http://www.darkreading.com/document.asp?doc_id=109150
Don't blame the browser]
Client side applications are all intertwined, and a flaw in one may compromise the rest. But don't forget the web applications!
Oct 25 - Michael Howard's advice from OWASP AppSec Conference
Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the conference page
Oct 24 - Hackers get organized
"Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp. said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone. Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem. It does continue to grow."
Oct 19 - MSDN Magazine AppSec Issue
Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks
Older news...
Retrieved from "https://wiki.owasp.org/index.php?title=Template:Application_Security_News&oldid=11766"