 |
|
Ounce adds white box security testing
|
|
|
IBM has just rounded out its application security testing portfolio with the acquisition of Ounce Labs and its white box security testing tools. These tools look for vulnerabilities inside the code. Add these to the AppScan black box testing tools, which scan running applications, and the best-of-breed combination provides the entire breadth of app security testing. Ounce supports a variety of languages and architectures for scalability from use by individual developers up to an entire broad security team. Check out the post on the acquisition and check out Ounce!
|
|
|
Welcome to the Application Security Space
|
|
Application security is an extremely important and fast-changing subject considering the number of security attacks and new technologies entering our computing world every day. This Space covers the many topics involved in application security, highlights articles about the latest application security issues around Web and enterprise applications and services, and provides a place where administrators, developers and security professionals can come together and share ideas on how to make their applications and Web services safer.The Space is not intended to deal with network and system level security but to focus on the many security issues at the application layer. Here Space visitors and members have a single place to discuss and learn about issues and technologies related to application security. The Space is a portal into the subject as well as a clearing house that aggregates information, targets security problems and provide solutions. Come join the discussion and share your tips and tricks for keeping applications safer.
|
|
- AppScan user type setting
- torontofriend
- Posted: Thu Sep 03 03:07:47 EDT 2009
- I need to setup a user type who can only review re
- Re:AppScan user type setting
- jeffmil
- Posted:Tue, 3 Nov 2009 02:18:23 EST
- Sorry for the delay. Try posting your question to
- Use this portlet for application security discussions!
- jeffmil
- Posted: Tue Sep 16 02:12:21 EDT 2008
- What sort of application security issues have you
|
Yahoo's Security Best Practices for Developers
|
|
|
Yahoo is of of the leaders in building sophisticated Web UIs through the use of JavaScript, Ajax, and of course their YUI framework. The sensitivity of the information they maintain for their users requires strong security. Here's a compendium of security best practice advice for developers, gathered from experience, with several examples written in PHP.
|
|
|
Cross-Site Request Forgery
|
|
|
Cross-Site Request Forgery (XSRF) is a particularly insidious exploit that is not based on the injection of malicious code into a trusted Web site like cross-site scripting is, but merely the sending of malicious commands from a browser to a Web site on behalf of an "evil" Web site. It's very important, yet difficult, to prevent this type of attack. There's an excellent whitepaper on the subject here....
|
|
|
5 Steps to Secure Development
|
|
|
Here's an excellent article from eWeek that discusses secure application development. It starts with process definition before the start of development and continues through monitoring the process in production. A good overview.
|
|
|
A certification in security can be valuable
|
|
Among others, there are two very popular industry security certifications, the CISSP (Certified Information Systems Security Professional) from (ISC)², the International Information Systems Security Certification Consortium, and the CompTIA Security+ from CompTIA, the Computing Technology Industry Association.
I have the CompTIA Security+ certification. The test is inclusive and requires knowledge of all aspects of IT security. The CISSP certification is also very inclusive and rigorous, somewhat tougher to achieve, and requires renewal every few years. The CISSP may be required by some companies to work as a security architect. Each certification is valuable for your career, and each organization offers other certifications, as well.
(ISC)² now offers a new certification that applies more towards application development security specifically. That's the CSSLP (Certified Secure Software Lifecycle Professional). I may look into taking that test. Any certification you achieve in your area of work can be very valuable for your career.
- Jeff (CompTIA Security+ Certified Professional)
|
|
|
The authentication user experience
|
|
A successful authentication system is more than just a step in being able to let the good guys in while keeping the bad guys out. No matter how secure your authentication system is, if it causes a bad user experience at your site, it can be just as damaging to your bottom line as a weak authentication system.
This article approaches authentication from the standpoint of usability. The author, Jared Spool, is a well-known expert on user interface design. I've heard him speak and he's terrific. Although the article is not specifically on authentication technology, I think like you'll like it, and a second one linked to towards the bottom of it, quite pertinent to the overall quality of your site.
|
|
|
Botnet installs SQL injection tool
|
|
|
As you know, SQL injections are one of the most dangerous security vulnerabilities because with them an attacker can obtain access to sensitive, private database contents. Now computers compromised by a botnet are being loaded with a SQL injection attack tool. This is a far cry from the old days when botnets were typically used to send millions of phishing emails. This article discusses this dangerous new attack mechanism.
|
|
|
The IBM Rational Software Conference 2009
|
|
Want to learn more about how to plan, develop and test secure applications? The IBM Rational Software Conference 2009, May 31 - June 4, at the Walt Disney World Swan and Dolphin Hotel in Orlando, FL, USA, was a huge success. There were a lot of great sessions about security during requirements gathering, development, testing and how to test the security of applications after they are deployed. Attendees learned how many of the Rational and other IBM tools and middleware support security.
To see some of what the security-related sessions were, check out the Conference Agenda link, followed by the Tracks-at-a-glance link, followed by the Application Security and Compliance track.
And mark your calendars for the IBM Rational Software Conference 2010, June 6-10, Walt Disney World Swan and Dolphin, Orlando, Florida. Stay tuned for more information!
|
|
|
Here's an excellent webcast on Flash and Flex security
|
|
|
Adobe Flash is virtually ubiquitous in Web browsers today. But it's not necessarily secure unless the Flash/Flex developer follows some important guidelines. This webcast, by Ayal Yogev of IBM Rational's security group, illustrates some potential Flash security holes, how to protect against them, and how to test that protection.
|
|
|
Or what the phishers are up to...
|
|
|
This fascinating interview isn't exactly about application security. It's about what the phishers are doing to our applications when those are not secure. Get the inside scoop on the phishing underground. In general, net-security.org is an interesting site to check from time to time.
|
|
|
Are they the same - part 1?
|
|
Confidentiality and privacy are terms that are often confused when discussing security. Both deal with keeping data safe from non-intended readers or recipients. But their focus is not the same.
Loosely borrowing from the International Standards Organization (ISO), we often identify a list of key security requirements that every secure system must provide. From a message recipient standpoint, among these requirements are
- Identification: sender, who are you?
- Authentication: please prove your identity is true.
- Authorization: are you allowed to perform this transaction?
- Integrity: is the data you sent the same as the data I received?
- Confidentiality: are we sure that nobody read the data you sent me?
- Auditing: I have a record of all transactions so we can look for security problems after the fact.
- Non-repudiation: you cannot deny that you sent the message I received, and I can provide legal proof to a third party (e.g. judge) that the you did.
Continued below....
|
|
|
Are they the same - part 2?
|
|
Confidentiality uses cryptography, typically with either symmetric or asymmetric keys, to encrypt and decrypt messages. Privacy addresses the data access purpose and the choice of the data owner.
In privacy we define the data owner as the data subject to whom the data applies, while the data custodian is the entity that holds the data. For example, my health insurance records are held by an insurance company, but those records belong to me. The insurance company is the custodian.
Privacy addresses the purpose of the data access based the role of the accessor. A person may be my primary physician and I will opt-in to allowing them access to my records. But that same doctor may also have a second job as a marketing consultant for a drug manufacturer or another insurance company. I will opt-out to allowing them access as that role. It is my choice as the owner of my data.
Both confidentiality and privacy are related to each other and to access control, but in different ways. They are not the same thing.
|
|
|
The Open Web Application Security Project Top Ten Vulnerabilities
|
|
|
OWASP is a worldwide free and open community focused on improving the security of application software. OWASP maintains a list of Web application vulnerabilities, the most common of which are the Top Ten. OWASP has a host of great information about Web application security, examples of what not to do in your applications, tools and tutorials for making your applications secure, and much more. Check out OWASP!
|
|
|
Scan your Web application for vulnerabilities
|
|
Now with a demo!
Even when you think you've eliminated all vulnerabilities in your application during development and testing, you might be surprised at what is still in there. Automated vulnerability scanning is one way to reduce the danger. AppScan from Rational is a Web application security assessment suite that accurately pinpoints critical vulnerabilities and manages the process of fixing them. Watch an online video demo of AppScan to see how it works, how powerful it is, and how easy it is to use. Check it out.
|
|
|
Why Ajax security is not enough: Time for SMash
|
|
|
We can't be complacent just because we've followed all the rules for secure Ajax usage. Mashups introduce further opportunities for vulnerabilities. SMash is a new technology, recently donated by IBM to the OpenAjax Alliance, that seeks to provide a solution for this issue. You can read about it here.
You can also read about it at eWeek and InfoWorld.
|
|
|
What is Clickjacking?
|
|
Clickjacking is a newer type of attack in which a malicious user interface element is hidden on a legitimate Web page. Users think they are clicking on a normal, safe link or an area of the page that is not a real link but looks like one, but are actually clicking on the malicious area, causing harm in some way to the user. There are several ways clickjacking can be implemented, and it is hard to prevent because it uses normal browser capabilities present in every browser.
IE 8 and NoScript have solutions that may work in some cases. Prevention needs to be built into every browser, though. For more information, see the NoScript FAQ and this article on clickjacking.
|
|
|
Vulnerabilities - those we manage and those we own
|
|
Web application vulnerabilities can be divided into those we own and those we manage. Those we own are caused by insecure in-house application development, usually within the business logic of the app. SQL injection, path tampering, XSS, suspect content and cookie poisoning are typical types of exploits. These Application-Specific Vulnerabilities, or ASVs, are our responsibility to find and fix through our application knowledge. Usually not easily.
Vulnerabilities we manage are usually infrastructure-based, a result of 3rd party defects, and known as Common Web Vulnerabilities, or CWVs. These are usually fixed by patches released by vendors. Learn about CWVs and application-specific vulnerabilities at MITRE and SecurityFocus. SANS Institute also has a top 20 list of Common Vulnerabilities and Exposures, updated annually. CVE is a dictionary of publicly known information security vulnerabilities and exposures.
|
|
|
Enterprise Application Security 101
|
|
Interested in an overview of enterprise application security, starting with the basics and covering Java and JEE security, Web services security, SOA security, and malware and attacks? This presentation in book form looks at all these topics. Download the PDF.
|
|
|
Hacking 101, a different security briefing
|
|
|
This briefing focuses on techniques a hacker can use to break into a Web site, and what we can do to prevent that from happening. IBM Rational Watchfire AppScan is one strong tool in our arsenal.
|
|
No events scheduled at this time.
|
|
Show member list