Filter by products, topics, and types of content

(27 Products)

(71 Topics)

(3 Industries)

(7 Types)

1 - 22 of 22 results
Show Summaries | Hide Summaries
View Results
Title none Type none Date none
Validating CSRF vulnerabilities reported by automated scanners
This tutorial covers how to manually validate cross-site request forgery (CSRF) vulnerabilities that can be reported by an automated security scanner, such as IBM AppScan. Most automated scanners, including IBM AppScan, do not accurately report CSRF vulnerabilities, as they are built on predefined rules and cannot completely determine the legitimacy of certain types of vulnerabilities like CSRF. To validate such issues, one needs to manually reproduce the vulnerability and decide whether it is indeed true or a false alarm. This tutorial is a step-by-step guide to reproduce and validate the reported CSRF vulnerabilities by using a custom-made flow chart and also provides guidance on using the open source tool "CSRF Tester" that provides a rich functionality to validate such vulnerabilities
Articles 27 Nov 2017
Avoid vulnerabilities and threats in the cloud
The cloud has been one of the most talked about technologies since Web 2.0. While the cloud has been lauded for its promise of cost savings, many organizations hesitate to pursue cloud-based solutions for security reasons. Like any other technology, the cloud is vulnerable to malicious attacks, but those who understand what security challenges they may face in the cloud find that they are able to better secure their resources that reside there.
Also available in: Chinese   Russian   Japanese   Portuguese  
Articles 13 Jan 2012
Detect database vulnerabilities with Guardium and QRadar
IBM InfoSphere Guardium has a level of visibility into databases for vulnerabilities that no application scanner can ever have because it has deep access to the configuration and other information about the database server. But how do you manage the vulnerabilities that it finds? How do you prioritize and track the work? The answer is the IBM Security QRadar SIEM family of products.
Tutorial 02 Oct 2014
InfoSphere Guardium and the Amazon cloud, Part 1: Explore Amazon RDS database instances and vulnerabilities
The growing number of relational databases on the cloud accentuates the need for data protection and auditing. IBM InfoSphere Guardium offers real time database security and monitoring, fine-grained database auditing, automated compliance reporting, data-level access control, database vulnerability management, and auto-discovery of sensitive data in the cloud. With the Amazon Relational Database Service (RDS) you can create and use your own database instances in the cloud and build your own applications around them. This two-part series explores how to use Guardium to protect database information in the cloud. This article describes how to use Guardium's discovery and vulnerability assessment with Amazon RDS database instances. Part 2 will cover how Guardium uses Amazon S3 for backup and restore.
Also available in: Chinese   Russian   Portuguese   Spanish  
Articles 27 Feb 2014
Find vulnerabilities specific to session management
Vulnerabilities that are specific to session management are great threats to any web application and are also among the most challenging to find and fix. Sessions are targets for malicious users because they can be used to gain access to a system without having to authenticate.
Articles 26 Jan 2017
OWASP top 10 vulnerabilities
Look at the top 10 web application security risks worldwide as determined by the Open Web Application Security Project. Then discover how IBM Security AppScan helps website administrators find, correct, and avoid these and other web security threats.
Articles 20 Apr 2015
IBM Security AppScan Standard: Scan and analyze results
This is a summary guide to getting started scanning for web application vulnerabilities with IBM Security AppScan Standard Edition and analyzing the results. Watch a video demonstration to learn how to configure AppScan for a dynamic scan of a new application. Follow a case study that demonstrates using AppScan Standard to scan and test two web applications. Watch a five-step process to help you analyze the results of your scan. Then watch a real-life scenario in which AppScan Standard is used (with AppScan Source) to establish embedded security analysis. A bonus is also included: An AppScan Standard guide to testing mobile applications.
Articles 19 Jun 2013
Identify and avoid false positives with IBM AppScan
IBM Security AppScan is a tool that performs dynamic security scanning of web applications and services to identify the security vulnerabilities that are present in applications. Along with valid vulnerabilities, an automated scanning tool can also report vulnerabilities that turn out to be invalid upon further manual analysis. These "vulnerabilities" are commonly known as false positives. In this article, we discuss some common false positives reported by AppScan and provide guidance on how a tester can validate whether the reported issue is a false positive or not. Additionally, the article explains how to avoid such false positives from being reported by making the proper configuration changes to the AppScan tool.
Also available in: Japanese  
Articles 31 Aug 2016
Using Notes/Domino SMTP with a DMZ, Part 1
Email is everywhere -- and so are people who want to abuse it to gain access to your corporate environment. Help keep them out by setting up a DMZ between the public Internet and your company's users and resources. In this first of a two-part series, we explain how SMTP mail works. We take a look at its potential vulnerabilities and how spammers and hackers try to take advantage of them, and then discuss how a DMZ can help spoil their nefarious plans.
Also available in: Japanese  
Articles 09 Nov 2004
Introduction to cryptography, Part 6: Miscellaneous issues
Properly constructed ciphers with strong keys of adequate length, securely protected, are now effectively unbreakable. However, vulnerabilities still exist and in the case of asymmetric cryptography, it's important to know that a public key is genuine. A digital certificate can confirm this, although this is not absolute, depending instead on trust at some level. In addition, there are cases where special forms of signature are needed, perhaps allowing signing without viewing the content, or where one person needs to confirm to another, without revealing content, that he knows something secret. The exact time when something was signed digitally may need to be verified and this can be handled through digital timestamping.
Articles 01 Mar 2001
Remote Exploitation of the Cordova Framework
In this report, the authors explain how they have discovered vulnerabilities in at least some versions of Apache Cordova.
Articles 21 May 2015
Introduction to cryptography, Part 4: Cryptography on the Internet
The Internet introduces a whole new raft of vulnerabilities. Organizations or individuals with whom you're communicating may be unknown or may be masquerading as someone else. Without getting paranoid about such issues, it's necessary to take suitable precautions against loss occasioned in various ways, whether by diversion of funds, the consequences of faulty authentication, loss of confidential information, repudiation of contracts and so on. Cryptography is central to managing this new level of risk, and this feature introduces some of the protocols and related mechanisms that are of particular relevance to Internet activity, including e-mail.
Articles 01 Mar 2001
IBM Security AppScan Source: Explore functions
This is a summary guide to learn the basics of using IBM Security AppScan Source Edition. Derek Chowaniec will show you how to configure applications for scanning, alter the scanning configuration for your security needs, use the integrated tools to build a report, triage the information based on your findings, and configure the system to scan and analyze precompiled code. Tom Mulvehill shows you how to hunt down vulnerabilities in Android applications.
Articles 11 Jul 2013
Create secure Java applications productively, Part 2
This is the second in a two-part tutorial series on creating secure Java-based Web applications using Rational Application Developer, Data Studio and Rational AppScan. In Part 1 you developed a Java Web application with Rational Application Developer, and then deployed the application on WebSphere Application Server with Java Server Pages (JSP). This tutorial shows you how to scan the Wealth application created in Part 1 using Rational AppScan to discover and fix all known Web security vulnerabilities. It also shows how to re-scan your application and generate reports.
Tutorial 04 May 2008
Run a SAST scan of a Java application by using Bluemix Static Analyzer
Save time and money by finding source code vulnerabilities early in the software development lifecycle by using the new Static Analyzer service on Bluemix. The Static Analyzer service combines the power of static application security testing (SAST) with intelligent findings analysis (IFA) technology to provide you with high-confidence, actionable findings.
Also available in: Chinese   Japanese  
Articles 24 Sep 2015
Prevent cross-site request forgery: Know the hidden danger in your browser tabs
Explore two strategies to help prevent cross-site request forgery attacks as you review a detailed, step-by-step cross-site request forgery attack scenario. Also, look at some issues for scanning tools as they try to find cross-site request forgery vulnerabilities.
Also available in: Chinese   Russian   Japanese  
Articles 25 Mar 2014
Improve web application security with jQuery Mobile
Many web developers consider security a low priority. Security is frequently relegated to the end of the software development life cycle, as little more than an afterthought. Sometimes, software security is neglected entirely, resulting in applications rife with common vulnerabilities. Because such bugs might manifest only under conditions present during an attack, they can be hard to detect prior to such events without knowledge of how the exploitation process works. Using a web application built with jQuery Mobile, PHP, and MySQL, this tutorial shows how many types of vulnerabilities occur along with common methods of exploitation and, most importantly, their respective countermeasures.
Also available in: Chinese   Japanese   Portuguese   Spanish  
Tutorial 03 May 2011
Detecting security risks with IBM Security QRadar Vulnerability Manager
Real-time detection of risks means that you can manage security vulnerabilities and protect data. IBM Security QRadar Vulnerability Manager scans, detects, and mitigates InfoSec risks.
Also available in: Russian  
Articles 24 Jul 2014
System security and practical penetration testing
Evolving vulnerabilities in web-facing applications are a growing and troublesome trend. This fact, coupled with a growing community of cybercriminals and hacktivists, means that your applications could be the next new example of a high-profile breach. Discover some of the tools the hacking community uses, and learn how you can protect yourself against them.
Also available in: Russian  
Articles 24 Sep 2013
The top ten security articles you need to read
In this article, I write about great resources that you should keep in your arsenal. I tried to get something for everyone, so whether you're a developer, an administrator, or even just someone who's interested in how security vulnerabilities occur and what can be done about it, this list covers all of this and more.
Articles 26 Oct 2017
An architectural view of QRadar Vulnerability Manager
Advanced persistent threats, the evolution of IT infrastructures, and compliance complacency can stymie security vulnerability monitoring. IBM Security QRadar Vulnerability Manager is helping redefine how IT security teams collect and use vulnerability assessment data by helping to identify an organization's largest exposures and build a smarter remediation and mitigation action plan. By correlating scan results with the security intelligence data of QRadar SIEM, you can quickly prioritize the vulnerabilities that present the greatest potential dangers and avoid false positives or those already classified as non-threatening. Scans can be immediately triggered; launched as the result of network behavior or programmed to run at regularly scheduled intervals against either all components or just a specified sub-segment of assets.
Articles 20 Aug 2013
Are you under attack? Detect attacks against Node.js applications
In this tutorial, you learn how to detect when your IBM Bluemix Node.js web application is being scanned and attacked.
Also available in: Chinese  
Articles 14 Dec 2015
1 - 22 of 22 results
Show Summaries | Hide Summaries