|
|
| (46 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | ; '''Oct 19 - [http://msdn.microsoft.com/msdnmag/issues/06/11/default.aspx MSDN Magazine AppSec Issue]'''
| + | <IfLanguage Is="en"> |
| − | : Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks
| + | This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources. |
| | + | </IfLanguage> |
| | + | <IfLanguage Is="es"> |
| | + | Estas noticias son moderadas por OWASP y mostrarán publicaciónes de alta calidad enfocadas en seguridad de aplicaciones de avanzada, proveen razonamiento profundo o son recursos educativos útiles. |
| | + | </IfLanguage> |
| | | | |
| − | ; '''Oct 19 - [http://news.com.com/Netflix+fixes+Web+2.0+bugs/2100-1002_3-6126438.html?tag=cd.lede Netflix hit with CSRF - who's next?]'''
| + | <owaspfeed/> |
| − | : All you did was load a web page - how did that add movies to my Netflix account? [[Cross-Site Request Forgery]] attacks are usually as simple as image links to another site. If you're logged in, the attack succeeds. Netflix got burned, but many sites are susceptible to this attack.
| |
| − | | |
| − | ; '''Oct 17 - [http://www.businessweek.com/technology/content/sep2006/tc20060926_175459.htm?chan=top+news_top+news+index Bill Joy gets religion]'''
| |
| − | : Welcome Bill! "Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code-the software's blueprint-for security flaws, thereby vastly improving overall security."
| |
| − | | |
| − | ; '''Oct 17 - [http://www.securityfocus.com/columnists/334 Marcus Ranum disses IPv6]'''
| |
| − | : "IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks."
| |
| − | | |
| − | ; '''Oct 15 - [http://link RSnake says IE7 sucks less for XSS]'''
| |
| − | : Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"
| |
| − | | |
| − | ; '''Oct 15 - [http://www.csoonline.com.au/index.php/id;116770232;fp;16;fpid;0 AppSec like global warming...]'''
| |
| − | : You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow [[cross-site scripting]] (14.5 percent), [[SQL injection]] (10.9 percent); [[buffer overflows]] (10.8 percent) and Web directory [[path traversal]] (3 percent).
| |
| − | | |
| − | ; '''Oct 6 - [http://www.wired.com/news/technology/security/0,71902-0.html Ajax is FUD-tastic]'''
| |
| − | : News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need [[OWASP AJAX Security Project|guidelines]] and more research, not more FUD.
| |
| − | | |
| − | ; [[Application Security News|Older news...]]
| |
This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.
