This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Template:Application Security News"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
<!-- please add stories to the main Application Security News page -->
 
<!-- please add stories to the main Application Security News page -->
  
; '''Jan 10 - [http://www2.csoonline.com/exclusives/column.html?CID=28072 Ranum excoriates 'vulnerability pimps' - MUST READ]'''
+
; '''Jan 10 - [http://www2.csoonline.com/exclusives/column.html?CID=28072 Vulnerability Disclosure: The Good, the Bad and the Ugly]'''
: "Computer security needs to grow the hell up, and needs to do it pretty quickly. It seems that virtually every aspect of life is becoming increasingly computerized and exposed to online attack. The problem is getting more significant the longer we wait to deal with it, but the early history of computer security has been a massive disappointment to all of us: huge amounts of money spent with relatively little improvement to show for it. One of the reasons is that a huge amount of that effort has been wasted, barking up the wrong tree. Unfortunately, if you look at the last 10 years of security, it’s a litany of "one step forward, one step back," thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. At this point, they’re so deeply entrenched and vested that they’re here to stay, unless the industry as a whole turns away from rewarding bad behavior. If you’re a customer or end user, you can see how well disclosure worked to improve your security over the last decade. Let me be frank: It’s up to you."
+
:''More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?'', three good articles: [http://www2.csoonline.com/exclusives/column.html?CID=28071 Microsoft: Responsible Vulnerability Disclosure Protects Users] , [http://www2.csoonline.com/exclusives/column.html?CID=28073 Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’], [http://www2.csoonline.com/exclusives/column.html?CID=28072 The Vulnerability Disclosure Game: Are We More Secure?] and [http://www.csoonline.com/read/010107/fea_vuln.html The Chilling Effect]
  
 
; '''Jan 3 - [http://www.gnucitizen.org/blog/danger-danger-danger/ XSS in ALL sites with PDF download]'''
 
; '''Jan 3 - [http://www.gnucitizen.org/blog/danger-danger-danger/ XSS in ALL sites with PDF download]'''

Revision as of 12:26, 16 January 2007


Jan 10 - Vulnerability Disclosure: The Good, the Bad and the Ugly
More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?, three good articles: Microsoft: Responsible Vulnerability Disclosure Protects Users , Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’, The Vulnerability Disclosure Game: Are We More Secure? and The Chilling Effect
Jan 3 - XSS in ALL sites with PDF download
Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.
Dec 16 - What IS security critical code?
"It's likely that in most incidents of people being killed as a result of software bugs (or IT systems bugs), the software wasn't thought to be safety-critical at all. For example, a word-processor failing to recognize that a print request has failed, resulting in a patient not getting a letter giving a hospital appointment. Or someone committing suicide because of an incorrect bank statement." Michael Kay on the xml-dev list, 8/17/2005
Older news...