Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
51 items tagged "Announcements"
CGISecurity.com: Your Web Site and Application Security Resource
-
WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants
Posted: June 27th, 2011, 2:26pm CDT by Robert A.
Tags: Announcements [edit]
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,... -
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
Posted: March 31st, 2011, 12:17pm CDT by Robert A.
Tags: Announcements [edit]
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals... -
The OWASP AppSec USA 2011 Call for Papers (CFP)
Posted: March 18th, 2011, 2:47pm CDT by Robert A.
Tags: Announcements [edit]
Lorna Alamri writes in the following announcement "The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit the following URL to submit your abstract for the September 22-23, 2011 talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company with our first keynote,... -
WASC Party at RSA
Posted: January 19th, 2011, 1:09pm CST by Robert A.
Tags: Announcements [edit]
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon.... -
New Silicon Valley security conference - BayThreat
Posted: November 18th, 2010, 6:53pm CST by Robert A.
Tags: Announcements [edit]
A handful of people from silicon valley (myself included) have been discussing the lack of good hacker conference in the bay area (RSA does not count) for some time and decided to meet up during defcon to see what we could do about this. It was concluded that the only logical thing... -
Phrack #67 is out for 25th anniversary!
Posted: November 18th, 2010, 12:55pm CST by Robert A.
Tags: Announcements [edit]
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace... -
Web Security Dojo v1.0 release
Posted: March 1st, 2010, 11:30am CST by Robert A.
Tags: Announcements [edit]
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use... -
Watcher 1.3.0 passive Web-vulnerability testing tool released
Posted: March 1st, 2010, 11:28am CST by Robert A.
Tags: Announcements [edit]
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can... -
2010 SANS Top 25 Most Dangerous Programming Errors Released
Posted: February 16th, 2010, 1:05pm CST by Robert A.
Tags: Announcements [edit]
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top... -
R.I.P. Apache 1.x: Apache 1.3.42 marks of end life
Posted: February 3rd, 2010, 12:29pm CST by Robert A.
Tags: Announcements [edit]
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider... -
Nikto version 2.1.1 released
Posted: February 2nd, 2010, 2:44pm CST by Robert A.
Tags: Announcements [edit]
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,... -
Announcement: WASC Threat Classification v2 is Out!
Posted: January 1st, 2010, 6:08pm CST by Robert A.
Tags: Announcements [edit]
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is... -
Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes
Posted: October 28th, 2009, 12:55pm CDT by Robert A.
Tags: Announcements [edit]
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more... -
OWASP Publishes Transport Layer Protection Cheat Sheet
Posted: October 19th, 2009, 5:11pm CDT by Robert A.
Tags: Announcements [edit]
"This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance... -
WASC Announcement: 2008 Web Application Security Statistics Published
Posted: October 16th, 2009, 11:36am CDT by Robert A.
Tags: Announcements [edit]
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application... -
Announcing the Web Application Security Scanner Evaluation Criteria v1
Posted: October 8th, 2009, 12:02pm CDT by Robert A.
Tags: Announcements [edit]
"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list... -
Microsoft publishes BinScope and MiniFuzz
Posted: September 17th, 2009, 11:16am CDT by Robert A.
Tags: Announcements [edit]
From the download pages. BinScope "BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build... -
Next Phase of WASC's Distributed Open Proxy Honeypot Project Begins
Posted: August 4th, 2009, 2:25am CDT by Robert A.
Tags: Announcements [edit]
Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each... -
Nmap 5.00 Released
Posted: July 16th, 2009, 2:56pm CDT by Robert A.
Tags: Announcements [edit]
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this. Considering all the changes,... -
Microsoft Security Bulletin Summary for July 2009
Posted: July 14th, 2009, 4:19pm CDT by Robert A.
Tags: Announcements [edit]
It is Microsoft patch Tuesday and the following issues have been addressed. MS09-029 Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution.... -
WASC Threat Classification 2.0 Sneak Peek
Posted: July 7th, 2009, 11:55am CDT by Robert A.
Tags: Announcements [edit]
Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification... -
Fuzzware 1.5 released
Posted: July 6th, 2009, 4:46pm CDT by Robert A.
Tags: Announcements [edit]
"Fuzzware is tool for pen-testers and software security testers that is designed to simplify the fuzzing process, while maximising the fuzzing quality and effectiveness. Fuzzware is adaptable to various testing scenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you fine grain control over the fuzzing techniques used and ensures any... -
Phrack 66 is out!
Posted: June 11th, 2009, 9:29am CDT by Robert A.
Tags: Announcements [edit]
IntroductionTCLH Phrack Prophile on The PaX TeamTCLH Phrack World NewsTCLH Abusing the Objective C runtimenemo Backdooring Juniper FirewallsGraeme Exploiting DLmalloc frees in 2009huku Persistent BIOS infectionaLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploitsargp and karl Exploiting TCP Persist Timer Infinitenessithilgore Malloc Des-Maleficarumblackngel A Real SMM RootkitCore Collapse Alphanumeric RISC... -
New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks
Posted: June 9th, 2009, 10:57am CDT by Robert A.
Tags: Announcements [edit]
Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and... -
Insecure Magazine 21 (June) Released
Posted: June 1st, 2009, 9:38am CDT by Robert A.
Tags: Announcements [edit]
Insecure magazine 21 has been released and covers the following. Malicious PDF: Get owned without opening Review: IronKey Personal Windows 7 security features: Building on Vista Using Wireshark to capture and analyze wireless traffic "Unclonable" RFID - a technical overview Secure development principles Q&A: Ron Gula on Nessus and Tenable Network... -
L0phtCrack is back, finally available for download
Posted: May 31st, 2009, 1:27pm CDT by Robert A.
Tags: Announcements [edit]
"It's official: The famous password-cracking tool L0phtCrack is back, and its creators plan to keep it that way. L0phtCrack 6 tool, released Wednesday, was developed in 1997 by Christien Rioux, Chris Wysopal, and Peiter "Mudge" Zatko from the former L0pht Heavy Industries -- the hacker think tank best known for testifying... -
SamuraiWTF live web testing framework 0.6 released
Posted: May 20th, 2009, 11:54am CDT by Robert A.
Tags: Announcements [edit]
"The SamuraiWTF project team is proud to announce the immediate release of SamuraiWTF 0.6. This release contains a number of fixes and updates as well as the first release of a VM image. This VM requires Vmware 5.0 or better. It will also work in any version of VMWare Fusion.ThanksKevin Johnson"... -
Sysinternal Tool updates: Autoruns v9.5, PsLoglist v2.7, PsExec v1.95
Posted: May 11th, 2009, 12:34pm CDT by Robert A.
Tags: Announcements [edit]
Not website security related but still useful tools. Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution. PsLoglist v2.7: This version of PsLoglist, a command-line event log display... -
Google Chrome Update Addresses 2 Security Flaws
Posted: May 7th, 2009, 10:05am CDT by Robert A.
Tags: Announcements [edit]
CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able... -
Web 2.0 Application Proxy, Profiling and Fuzzing tool
Posted: April 27th, 2009, 11:24am CDT by Robert A.
Tags: Announcements [edit]
"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can... -
Firefox 3.0.9 Released to Fix Multiple Security Flaws
Posted: April 22nd, 2009, 9:39am CDT by Robert A.
Tags: Announcements [edit]
MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString MFSA 2009-18 XSS hazard using third-party... -
Nessus Version 4 Released
Posted: April 10th, 2009, 12:35pm CDT by Robert A.
Tags: Announcements [edit]
"Tenable is pleased to announce the release of Nessus version 4! This blog post highlights some of the enhancements and new features available in Nessus 4.0. One of the most notable features is the ability to create custom XSLT reports based on your scan results. Nessus now also supports a fully... -
Watcher: a free web-app security testing and compliance auditing tool
Posted: March 27th, 2009, 3:49pm CDT by Robert A.
Tags: Announcements [edit]
"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for... -
SWFScan - Free Flash Security Tool
Posted: March 23rd, 2009, 11:41am CDT by Robert A.
Tags: Announcements [edit]
"HP SWFScan is a free security tool to developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security... -
Microsoft releases !exploitable crash evaluation tool
Posted: March 23rd, 2009, 11:04am CDT by Robert A.
Tags: Announcements [edit]
"Aiming to better identify bugs that could lead to security issues, Microsoft announced on Wednesday that it planned to release a tool to help developers classify and assess program crashes. The tool, known as !exploitable and pronounced "bang exploitable," is a plugin for the Windows debugger that categorizes crash information using... -
WarVOX 1.0.0 Released
Posted: March 6th, 2009, 12:26pm CST by Robert A.
Tags: Announcements [edit]
HD Moore sent the following to bugtraq this morning. "WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a... -
The return of L0phtCrack
Posted: March 4th, 2009, 12:04pm CST by Robert A.
Tags: Announcements [edit]
"More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference. A teaser post on... -
Apple goes public with security in Safari 4
Posted: February 25th, 2009, 3:51pm CST by Robert A.
Tags: Announcements [edit]
"Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow. The security features are not new, however. The company quietly added anti-malware and phishing... -
CERT Advisory VU#435052: An Architectural Flaw In Transparent Proxies
Posted: February 23rd, 2009, 10:14am CST by Robert A.
Tags: Announcements [edit]
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New... -
CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies
Posted: February 23rd, 2009, 10:14am CST by Robert A.
Tags: Announcements [edit]
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New... -
Firefox 3.0.6 Released To Address Multiple Security Issues
Posted: February 5th, 2009, 11:42am CST by Robert A.
Tags: Announcements [edit]
Fixed in Firefox 3.0.6 MFSA 2009-06 Directives to not cache pages ignored MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04 Chrome privilege escalation via local .desktop files MFSA 2009-03 Local file stealing with SessionStore MFSA 2009-02 XSS using a chrome XBL method and window.eval MFSA 2009-01 Crashes with evidence of... -
Web Application Security Consortium (WASC) RSA Meetup 2009
Posted: February 5th, 2009, 11:17am CST by Robert A.
Tags: Announcements [edit]
If you like talking about website and application security and will be in San Francisco in April I highly recommend attending the Web Application Security Consortium's RSA Meet-up. We've been doing this for the past 3-4 years and always get a great crowd. He's the formal announcement. Take a Break @... -
Monster.com: yet another breach
Posted: January 23rd, 2009, 9:01pm CST by Romain Gaucher
Tags: Announcements [edit]
Monster.com has recently experienced yet another breach. "As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken,... -
Microsoft Patch Tuesday: MS09-001
Posted: January 13th, 2009, 1:03pm CST by Robert
Tags: Announcements [edit]
Microsoft has just published MS09-001 . This update addresses an SMB flaw. "Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited... -
Microsoft Patch Tuesday: MS09-001
Posted: January 13th, 2009, 1:03pm CST by Robert A.
Tags: Announcements [edit]
Microsoft has just published MS09-001 . This update addresses an SMB flaw. "Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited... -
CWE & SANS TOP 25 Most Dangerous Programming Errors
Posted: January 12th, 2009, 11:06am CST by Robert
Tags: Announcements [edit]
"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft,... -
CWE & SANS TOP 25 Most Dangerous Programming Errors
Posted: January 12th, 2009, 11:06am CST by Robert A.
Tags: Announcements [edit]
"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft,... -
OWASP releases Application Security Verification Standard for developers, security pros, and buyers
Posted: December 30th, 2008, 12:46pm CST by Robert
Tags: Announcements [edit]
"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS). Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial... -
OllyDbg Version 2.0 - Beta 1 Released
Posted: December 28th, 2008, 5:57pm CST by Robert
Tags: Announcements [edit]
"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much... -
OWASP testing Guide Version 3.0 Released
Posted: December 17th, 2008, 5:29pm CST by Robert
Tags: Announcements [edit]
OWASP released the following press release today."The OWASP testing guide version 3 has been officially released.This project is part of the OWASP 2008 Summer of Code that started on April 2008. The guide resulted in a 349 page book and is the contribution of a team of 21 authors, 4 reviewers... -
Firefox Halting 2.x security patching/support, urges users to upgrade to 3.0 or get pwned
Posted: December 17th, 2008, 2:37pm CST by Robert
Tags: Announcements [edit]
"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as...