CGISecurity - Website and Application Security Newstag:typepad.com,2003:weblog-16948542013-05-10T09:27:35-07:00All things related to website, database, SDL, and application security since 2000.
CGISecurityWASC Announcement: Static Analysis Technologies Evaluation Criteria Publishedtag:typepad.com,2003:post-6a00e553aa1a28883301901c079c38970b2013-05-10T09:27:35-07:002013-05-10T09:28:22-07:00The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used...Robert A.http://www.cgisecurity.com/2013/05/wasc-announcement-static-analysis-technologies-evaluation-criteria-published.htmlPoll: How do you rank the importance of a vulnerability?tag:typepad.com,2003:post-6a00e553aa1a288833017ee727218e970d2013-01-09T15:37:36-08:002013-01-09T15:38:09-08:00I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Link http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840Robert A.http://www.cgisecurity.com/2013/01/poll-how-do-you-rank-the-importance-of-a-vulnerability.htmlFive pieces of advice for those new to the infosec industrytag:typepad.com,2003:post-6a00e553aa1a288833017ee3e2ee43970d2012-10-31T11:24:31-07:002012-10-31T21:21:22-07:00I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...Robert A.http://www.cgisecurity.com/2012/09/five-pieces-of-advice-for-those-new-to-the-infosec-industry.htmlSecurity Industry Plagiarism: Finding 3 examples in 5 minutes with Google tag:typepad.com,2003:post-6a00e553aa1a288833015437d07740970c2012-01-07T23:11:50-08:002012-01-09T23:59:39-08:00UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....Robert A.http://www.cgisecurity.com/2012/01/detecting-plagiarism-with-google-and-book-search.htmlQuick defcon/blackhat preparation listtag:typepad.com,2003:post-6a00e553aa1a288833015434107d2b970c2011-07-28T13:25:19-07:002011-07-28T14:32:48-07:00A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to...Robert A.http://www.cgisecurity.com/2011/07/quick-defconblackhat-preperation-list.htmlSummary of Google+ browser security protectionstag:typepad.com,2003:post-6a00e553aa1a28883301543409c1d8970c2011-07-27T10:03:26-07:002012-11-29T09:29:14-08:00Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: https://www.barracudanetworks.com/blogs/labsblog?bid=1743Robert A.http://www.cgisecurity.com/2011/07/summary-of-google-browser-security-protections.htmlPaper: Web Application finger printing Methods/Techniques and Preventiontag:typepad.com,2003:post-6a00e553aa1a2888330153901404c9970b2011-07-21T13:51:40-07:002011-07-21T13:51:40-07:00Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are...Robert A.http://www.cgisecurity.com/2011/07/paper-web-application-finger-printing-methodstechniques-and-prevention.htmlOracle website vulnerable to SQL Injectiontag:typepad.com,2003:post-6a00e553aa1a288833014e899fad3a970d2011-07-05T15:21:44-07:002011-07-05T15:21:44-07:00Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.Robert A.http://www.cgisecurity.com/2011/07/oracle-website-vulnerable-to-sql-injection.htmlWASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participantstag:typepad.com,2003:post-6a00e553aa1a288833014e896db9c3970d2011-06-27T12:26:08-07:002011-06-27T12:42:14-07:00I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...Robert A.http://www.cgisecurity.com/2011/06/wasc-announcement-static-analysis-tool-evaluation-criteria-call-for-participants.htmlResults of internet SSL usage published by SSL Labstag:typepad.com,2003:post-6a00e553aa1a28883301538eb65af4970b2011-05-25T09:53:19-07:002011-06-22T16:45:32-07:00Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....Robert A.http://www.cgisecurity.com/2011/05/results-of-internet-ssl-usage-published-by-ssl-labs.html