This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:Application Security News"
From OWASP
| Line 3: | Line 3: | ||
: Comment or "Quote" | : Comment or "Quote" | ||
--> | --> | ||
| + | |||
| + | ; '''Jul 26 - [http://www.gcn.com/print/25_21/41397-1.html Government agency wake up call]''' | ||
| + | : The [[OWASP Top Ten]] was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle." | ||
; '''Jul 24 - [http://www.theregister.co.uk/2006/07/22/bug_hunters_crawl_over_ms_office/page3.html Fuzzing comes of age]''' | ; '''Jul 24 - [http://www.theregister.co.uk/2006/07/22/bug_hunters_crawl_over_ms_office/page3.html Fuzzing comes of age]''' | ||
Revision as of 10:56, 26 July 2006
- Jul 26 - Government agency wake up call
- The OWASP Top Ten was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."
- Jul 24 - Fuzzing comes of age
- "In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."
- Jul 20 - PayPal challenges Oracle for longest time-to-fix
- Daring people to sue for negligence, PayPal ignored a 2004 notification of a "cross site scripting attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."
- Jul 19 - SQL injection flood reported
- "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack."
- Jul 18 - Symantec deflowers Vista
- "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects...Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."
- Jul 18 - PCI to require security code reviews
- "The way the standard reads today, all provisions are treated equally, Litan says. She expects PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews."
