|
|
|
|||
|
developerWorks
>
Community
>
Spaces
>
|
|
|
|
Application Security Space |
|
|
|
|
||||||
|
||||||||||||||||
|
|
| Welcome to the Application Security Space |
|
Application security is an extremely important and fast-changing subject considering the number of security attacks and new technologies entering our computing world every day. This Space covers the many topics involved in application security, highlights articles about the latest application security issues around Web and enterprise applications and services, and provides a place where administrators, developers and security professionals can come together and share ideas on how to make their applications and Web services safer.The Space is not intended to deal with network and system level security but to focus on the many security issues at the application layer. Here Space visitors and members have a single place to discuss and learn about issues and technologies related to application security. The Space is a portal into the subject as well as a clearing house that aggregates information, targets security problems and provide solutions. Come join the discussion and share your tips and tricks for keeping applications safer. |
|
| Authorization in JEE applications can be more complex than authentication |
|
| There are standard mechanisms that JEE applications typically use to authenticate users. Authorization, on the other hand, sometimes requires custom solutions. Check out this thorough discussion of the subject by IBMers Paul Ilechko and Mannie Kagan. |
|
| Yahoo's Security Best Practices for Developers |
|
| Yahoo is of of the leaders in building sophisticated Web UIs through the use of JavaScript, Ajax, and of course their YUI framework. The sensitivity of the information they maintain for their users requires strong security. Here's a compendium of security best practice advice for developers, gathered from experience, with several examples written in PHP. |
|
|
|||||||||||||||||||||
|
|
|||||||||||||||||||||
|
|||||||||||||||||||||
|
|||||||||||||||||||||
|
|||||||||||||||||||||
| The Open Web Application Security Project Top Ten Vulnerabilities |
|
| OWASP is a worldwide free and open community focused on improving the security of application software. OWASP maintains a list of Web application vulnerabilities, the most common of which are the Top Ten. OWASP has a host of great information about Web application security, examples of what not to do in your applications, tools and tutorials for making your applications secure, and much more. Check out OWASP! |
|
| Scan your Web application for vulnerabilities |
|
|
Now with a demo! Even when you think you've eliminated all vulnerabilities in your application during development and testing, you might be surprised at what is still in there. Automated vulnerability scanning is one way to reduce the danger. AppScan from Rational is a Web application security assessment suite that accurately pinpoints critical vulnerabilities and manages the process of fixing them. Watch an online video demo of AppScan to see how it works, how powerful it is, and how easy it is to use. Check it out. |
|
| Why Ajax security is not enough: Time for SMash |
|
| We can't be complacent just because we've followed all the rules for secure Ajax usage. Mashups introduce further opportunities for vulnerabilities. SMash is a new technology, recently donated by IBM to the OpenAjax Alliance, that seeks to provide a solution for this issue. You can read about it here. You can also read about it at eWeek and InfoWorld. |
|
| 5 Steps to Secure Development |
|
| Here's an excellent article from eWeek that discusses secure application development. It starts with process definition before the start of development and continues through monitoring the process in production. A good overview. |
|
| The authentication user experience |
|
A successful authentication system is more than just a step in being able to let the good guys in while keeping the bad guys out. No matter how secure your authentication system is, if it causes a bad user experience at your site, it can be just as damaging to your bottom line as a weak authentication system. This article approaches authentication from the standpoint of usability. The author, Jared Spool, is a well-known expert on user interface design. I've heard him speak and he's terrific. Although the article is not specifically on authentication technology, I think you'll it, and a second one linked to towards the bottom of it, quite pertinent to the overall quality of your site. |
|
| Cross-Site Request Forgery |
|
| Cross-Site Request Forgery (XSRF) is a particularly insidious exploit that is not based on the injection of malicious code into a trusted Web site like cross-site scripting is, but merely the sending of malicious commands from a browser to a Web site on behalf of an "evil" Web site. It's very important, yet difficult, to prevent this type of attack. There's an excellent whitepaper on the subject here.... |
|
| Vulnerabilities - those we manage and those we own |
|
|
Web application vulnerabilities can be divided into those we own and those we manage. Those we own are caused by insecure in-house application development, usually within the business logic of the app. SQL injection, path tampering, XSS, suspect content and cookie poisoning are typical types of exploits. These Application-Specific Vulnerabilities, or ASVs, are our responsibility to find and fix through our application knowledge. Usually not easily. Vulnerabilities we manage are usually infrastructure-based, a result of 3rd party defects, and known as Common Web Vulnerabilities, or CWVs. These are usually fixed by patches released by vendors. Learn about CWVs and application-specific vulnerabilities at MITRE and SecurityFocus. SANS Institute also has a top 20 list of Common Vulnerabilities and Exposures, updated annually. CVE is a dictionary of publicly known information security vulnerabilities and exposures. |
|
| Enterprise Application Security 101 |
|
Interested in an overview of enterprise application security, starting with the basics and covering Java and JEE security, Web services security, SOA security, and malware and attacks? This presentation in book form looks at all these topics. Download the PDF.
|
|
| Security tech briefings agenda and presentation |
|
| You can download the agenda and the presentation for the above Security tech briefings. |
|
| Hacking 101, a different security briefing |
|
| This briefing focuses on techniques a hacker can use to break into a Web site, and what we can do to prevent that from happening. IBM Rational Watchfire AppScan is one strong tool in our arsenal. |
|
Show member list
