Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
29 items tagged "Defense"
Related tags: In [+], Depth [+]
CGISecurity.com: Your Web Site and Application Security Resource
-
Adobe on Fuzzing Adobe Reader For Security Defects
Posted: December 21st, 2009, 5:01pm CST by Robert A.
Tags: Defense [edit]
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however... -
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Posted: November 24th, 2009, 6:07pm CST by Robert A.
Tags: Defense [edit]
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage... -
Generic Remote File Inclusion Attack Detection
Posted: June 29th, 2009, 11:15am CDT by Robert A.
Tags: Defense [edit]
"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client... -
Session Attacks and ASP.NET - Part 2
Posted: June 28th, 2009, 10:58pm CDT by Robert A.
Tags: Defense [edit]
"In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/ -
Microsoft bans Memcpy() in their SDL program
Posted: May 15th, 2009, 3:04pm CDT by Robert A.
Tags: Defense [edit]
"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the... -
Gap Analysis of Application Security in Struts2/WebWork
Posted: May 4th, 2009, 11:28am CDT by Robert A.
Tags: Defense [edit]
"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork (hereafter referred to simply as Struts2) development team could add to increase the security of applications built with Struts2. The version analyzed was version 2.1.6, which was the latest version available when the project was... -
Improving Security with URL Rewriting
Posted: April 9th, 2009, 3:52pm CDT by Robert A.
Tags: Defense [edit]
"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this... -
XSS (Cross Site Scripting) Prevention Cheat Sheet
Posted: April 3rd, 2009, 3:17pm CDT by Robert A.
Tags: Defense [edit]
"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS... -
The Safe Math Library
Posted: March 31st, 2009, 1:16pm CDT by Robert A.
Tags: Defense [edit]
"The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C. To recap: The Safe C Library (available for download here) provides... -
Interview: Robert Seacord on the CERT C Secure Coding Standard
Posted: December 18th, 2008, 11:22am CST by Robert
Tags: Defense [edit]
"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots.I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and... -
Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing
Posted: December 17th, 2008, 11:33am CST by Robert
Tags: Defense [edit]
"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard,... -
Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live
Posted: December 15th, 2008, 3:53pm CST by Robert
Tags: Defense [edit]
"CAT.NET - Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by... -
Mod_Security Author Calls It Quits
Posted: December 15th, 2008, 11:20am CST by Robert
Tags: Defense [edit]
The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the... -
Executing scripts with non-english characters
Posted: December 14th, 2008, 10:38pm CST by Robert
Tags: Defense [edit]
There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks."I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than () symbols. Instead... -
Budgeting for Web Application Security
Posted: December 12th, 2008, 12:16pm CST by Robert
Tags: Defense [edit]
Jeremiah has published an entry on budgeting for web application security in your company."“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many... -
Understanding How to Use the Microsoft's Exploitability Index
Posted: November 18th, 2008, 11:58am CST by Robert
Tags: Defense [edit]
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment... -
Integrity-178B Secure OS Gets Highest NSA Rating, Goes Commercial
Posted: November 18th, 2008, 11:22am CST by Robert
Tags: Defense [edit]
"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company... -
Microsoft's Stance on Banned APIs
Posted: October 29th, 2008, 12:32pm CDT by Robert
Tags: Defense [edit]
Microsoft has a blog entry on their mentality/process on banning certain API calls to improve their software's security. "Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement... -
Microsoft's Stance on Banned APIs
Posted: October 29th, 2008, 12:32pm CDT by Robert
Tags: Defense [edit]
Microsoft has a blog entry on their mentality/process on banning certain API calls to improve their software's security. "Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement... -
W3C Working Draft for Access Control for Cross-Site Requests Published
Posted: September 22nd, 2008, 3:48pm CDT by Robert
Tags: Defense [edit]
"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by... -
W3C Working Draft for Access Control for Cross-Site Requests Published
Posted: September 22nd, 2008, 3:48pm CDT by Robert
Tags: Defense [edit]
"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by... -
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
Posted: September 19th, 2008, 5:11pm CDT by Robert
Tags: Defense [edit]
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx -
Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document
Posted: September 19th, 2008, 5:11pm CDT by Robert
Tags: Defense [edit]
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx -
Real World XSS Vulnerabilities in ASP.NET Code
Posted: September 15th, 2008, 3:01pm CDT by Robert
Tags: Defense [edit]
Microsoft has posted an article on what real world XSS vulnerable code looks like in ASP.NET applications. Handy if you develop asp.net or audit it for issues. "From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world... -
WASC Threat Classification v2 Project - Call for Participants
Posted: September 15th, 2008, 11:45am CDT by Robert
Tags: Defense [edit]
In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I'm sending this email to the list seeking people to contribute towards... -
How To: Detect Cross Site Scripting Vulnerabilities using XSSDetect
Posted: September 3rd, 2008, 11:57am CDT by Robert
Tags: Defense [edit]
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development... -
Which ASP.NET Controls Automatically HTML Entity Output Encodes?
Posted: September 2nd, 2008, 11:00am CDT by Robert
Tags: Defense [edit]
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used. Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx -
Understanding the security changes in Flash Player 10 beta
Posted: August 29th, 2008, 4:43pm CDT by Robert
Tags: Defense [edit]
"The next version of Adobe Flash Player will offer a variety of new features and enhancements as well as some changes to the current behavior of Flash Player. Some of these changes may require existing content to be updated to comply with stricter security rules. Other changes introduce new abilities that...
Rational Survivability
-
Of Course Defense-In-Depth, er, Defense-In-Breadth Works!
Posted: May 7th, 2008, 8:41pm CDT by beaker
Tags: Defense In Depth [edit]
I don't know what the the hell Ptacek and crew are on about. Of course
defense-in-depthdefense-in-breadth is effective. It's heresy to suggest otherwise. Myopic, short-sighted, and heretical, I say!In support, I submit into evidence People's Exhibit #1, from here your honor:
...and I quoteth:
We use layers of security to ensure the security of the traveling public and the Nation's transportation system.
Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system. A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre-empted, deterred, or to fail during the attempt.Yeah! Get some! It's just like firewalls, IPS, and AV, bitches! Mo' is betta!
It's patently clear that Ptacek simply doesn't layer enough, is all. See, Rothman, you don't need to give up!
"Twenty is the number and the number shall be twenty!"
How's that for a metric?
That is all.
/Hoff
