Security zone: Application security spans IT and information security - 29/04/2010 - Computer Weekly
Nice article on how to look at application security...gives you lots of good questions you should be asking.
Thursday, May 6, 2010
Tuesday, May 4, 2010
IE8 XSS Filter
Did you know IE8 has an XSS filter in it? It is on by default in the Internet zone but you have to turn it on in the Local and Intranet zones. You do this in your internet options, about 3/4 of the way down:
More information on it here
But WAIT! What's this?? Maybe we shouldn't set it just yet!
http://blogs.zdnet.com/security/?p=6221
Sigh. For me, I say leave well enough alone for now. Keep the filter, let them update it in June (per the zdnet post link) as it is better than nothing on my Dad's computer.
Stay on top of these things but realize security should never be browser-specific. You will have users to your sites with all sorts of browsers...close your holes and be safe on the web. It is a wild world out there.
Tuesday, April 20, 2010
OWASP Top10 Final Copy Released
OWASP (www.owasp.org) just released the final version of their Top Ten Risks for 2010 document. For those of you that have seen my talks on web app security, I was working off the Release Candidate so you will want to read up on this final version.
http://www.owasp.org/index.php/Top_10
http://www.owasp.org/index.php/Top_10
Friday, April 16, 2010
CSRF Big Deal or Not?
Great blog post about CSRF and whether it is a big deal or not.
http://ha.ckers.org/blog/20100414/csrf-isnt-a-big-deal-duh/
You have to read this and then read all the comments. Great feedback plus back and forth by folks in the field. The important thing is to keep this topic and others in our minds, and share the knowledge with other developers. Only you can prevent forest fires...wait, I mean, web attacks.
http://ha.ckers.org/blog/20100414/csrf-isnt-a-big-deal-duh/
You have to read this and then read all the comments. Great feedback plus back and forth by folks in the field. The important thing is to keep this topic and others in our minds, and share the knowledge with other developers. Only you can prevent forest fires...wait, I mean, web attacks.
Wednesday, April 7, 2010
New category of XSS attack -- so what?
In DarkReading (http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224201569) there is a current article about a new type of XSS attack that exploits services that provide networking data, where malicious data is stored in TXT records or other back-end things and are then returned by a service where it is executed on network admin screens.
Uh...this is no different than any other XSS attack. Sure, new category. Sure, really tough to find. But hellooooo? You have input from an untrusted source (data file) that you are taking and displaying to a screen. Service developer, scrub your output! Network app screen developer, encode your output! Duh!!! Come on people. This just shows that we need to be aware that hackers are going to a deeper and deeper level in our systems. As we patch our brochureware sites, they are going to the network folks that don't care to be security developers. But we have the responsibility to do it right.
And it is easy. Please encode and stop XSS!
Uh...this is no different than any other XSS attack. Sure, new category. Sure, really tough to find. But hellooooo? You have input from an untrusted source (data file) that you are taking and displaying to a screen. Service developer, scrub your output! Network app screen developer, encode your output! Duh!!! Come on people. This just shows that we need to be aware that hackers are going to a deeper and deeper level in our systems. As we patch our brochureware sites, they are going to the network folks that don't care to be security developers. But we have the responsibility to do it right.
And it is easy. Please encode and stop XSS!
Subscribe to:
Posts (Atom)