|
|
| (33 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | <!-- please add stories to the main Application Security News page --> | + | <IfLanguage Is="en"> |
| | + | This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources. |
| | + | </IfLanguage> |
| | + | <IfLanguage Is="es"> |
| | + | Estas noticias son moderadas por OWASP y mostrarán publicaciónes de alta calidad enfocadas en seguridad de aplicaciones de avanzada, proveen razonamiento profundo o son recursos educativos útiles. |
| | + | </IfLanguage> |
| | | | |
| − | ; '''Dec 2 - [http://blogs.oracle.com/security/2006/11/27#a39 Oracle blames security researchers]'''
| + | <owaspfeed/> |
| − | : "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the [http://www.oracle.com/security/software-security-assurance.html Oracle Software Security Assurance] program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?
| |
| − | | |
| − | ; '''Nov 30 - [http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html What? Ajax is secure now?]'''
| |
| − | : Nice article making the point that Ajax is not necessarily insecure. Read it carefully folks - it isn't easy to build a secure Ajax application, just possible. And remember that although the article doesn't mention it, Ajax apps use new parsers and interpreters that haven't been very well tested for security.
| |
| − | | |
| − | ; '''Nov 30 - [http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf Democracy Schlemocracy]'''
| |
| − | : A paper from NIST argues that touchscreen voting machines are "more vulnerable to undetected programming errors or malicious code" and that "potentially, a single programmer could 'rig' a major election."
| |
| − | | |
| − | ; [[Image:Database_security_comparison.jpg|right|200px]]'''Nov 28 - [http://www.databasesecurity.com/dbsec/comparison.pdf Litchfield slams Oracle lack of SDL]'''
| |
| − | : David Litchfield presents some very compelling evidence that Microsoft's SDL is paying off. A very interesting read. Not surprisingly, Microsoft is [http://blogs.msdn.com/michael_howard/archive/2006/11/22/microsoft-beats-oracle-in-security-showdown.aspx gloating] a little.
| |
| − | | |
| − | ; '''Nov 28 - [http://link Foreign software - threat or xenophobia?]'''
| |
| − | : Ira Winkler - "If there is one line of code written overseas, that’s one line too many. Developing it in the U.S. is not perfect, but we are talking about an exponential increase in risk by moving it overseas." John Pescatore - the focus on offshore developers is "xenophobia" but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.
| |
| − | | |
| − | ; [[Application Security News|Older news...]]
| |
This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.
