This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Template:Application Security News"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
; '''Nov 9 - [http://www.enterprisestrategygroup.com/ESGPublications/ReportListings.asp?ReportType=briefs SDL 2008 or bust!]'''
 +
: "ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business."
 +
 +
; '''Nov 7 - [http://www.sourceforge.net/projects/jbrofuzz JBroFuzz 0.2 Network Protocol Fuzzer Released]'''
 +
:JBroFuzz is a stateless network protocol fuzzer for penetration tests. Written in Java (exe also available) it provides a number of generators, as well as basic checks involving SQL injection, Cross Site Scripting (XSS), Buffer/Integer Overflows, as well as Format String Errors.
 +
 
; '''Nov 5 - [http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx 11.3% Vulnerable to SQL Injection]'''
 
; '''Nov 5 - [http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx 11.3% Vulnerable to SQL Injection]'''
 
: Micheal Sutton experimented with a survey of sites that have a parameter named "id" in the URL. He finds that 11.3% of them cough up a SQL error. "The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing."
 
: Micheal Sutton experimented with a survey of sites that have a parameter named "id" in the URL. He finds that 11.3% of them cough up a SQL error. "The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing."
Line 7: Line 13:
 
; '''Oct 25 - [http://www.computerweekly.com/Articles/2006/10/23/219377/Microsoft+takes+Vista+security+to+a+new+level+using.htm Michael Howard's advice from OWASP AppSec Conference]'''
 
; '''Oct 25 - [http://www.computerweekly.com/Articles/2006/10/23/219377/Microsoft+takes+Vista+security+to+a+new+level+using.htm Michael Howard's advice from OWASP AppSec Conference]'''
 
: Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the [[OWASP_AppSec_Seattle_2006/Agenda|conference page]]
 
: Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the [[OWASP_AppSec_Seattle_2006/Agenda|conference page]]
 
; '''Oct 24 - [http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301257.html Hackers get organized]'''
 
: "Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp. said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone. Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem. It does continue to grow."
 
 
; '''Oct 19 - [http://msdn.microsoft.com/msdnmag/issues/06/11/default.aspx MSDN Magazine AppSec Issue]'''
 
: Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks
 
  
 
; [[Application Security News|Older news...]]
 
; [[Application Security News|Older news...]]

Revision as of 21:15, 9 November 2006

Nov 9 - SDL 2008 or bust!
"ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business."
Nov 7 - JBroFuzz 0.2 Network Protocol Fuzzer Released
JBroFuzz is a stateless network protocol fuzzer for penetration tests. Written in Java (exe also available) it provides a number of generators, as well as basic checks involving SQL injection, Cross Site Scripting (XSS), Buffer/Integer Overflows, as well as Format String Errors.
Nov 5 - 11.3% Vulnerable to SQL Injection
Micheal Sutton experimented with a survey of sites that have a parameter named "id" in the URL. He finds that 11.3% of them cough up a SQL error. "The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing."
Nov 1 - Don't blame the browser
Client side applications are all intertwined, and a flaw in one may compromise the rest. But don't forget the web applications!
Oct 25 - Michael Howard's advice from OWASP AppSec Conference
Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the conference page
Older news...