Template:Application Security News

Oct 17 - Bill Joy gets religion: Welcome Bill! "Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code-the software's blueprint-for security flaws, thereby vastly improving overall security."

Oct 17 - Marcus Ranum disses IPv6: "IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks."

Oct 15 - RSnake says IE7 sucks less for XSS: Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"

Oct 15 - AppSec like global warming...: You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow cross-site scripting (14.5 percent), SQL injection (10.9 percent); buffer overflows (10.8 percent) and Web directory path traversal (3 percent).

Oct 6 - Ajax is FUD-tastic: News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need guidelines and more research, not more FUD.

Navigation menu