Latest Posts


From the Web

Identity Theft and Phishing and How Affects Financial Institutions

July 06, 2009 from: Writing Secure Software

In the USA, online fraud has overtaken viruses as the greatest source of financial loss. Among on-line fraud threats, phishing represents a major threat for financial institutions and according to the Anti-Phishing group organization, 93.8% of all phishing attacks in 2007 are targeting financial institutions.

Comments  (1)


From the Web

Business Cases For Software Security Initaitives

July 06, 2009 from: Writing Secure Software

Building software security into the organization’s software engineering and information security practices is best accomplished by following software security maturity models (e.g. BSIMM or SAMM) as well as by adopting frameworks to build security in the SDLC. Software security frameworks integrate software security activities in the SDLC along with other organization information security pr...

Comments  (1)


From the Web

The Evolution Of Common Criteria

July 03, 2009 from: The Oracle Global Product Security Blog

Hi, my name is Adam O’Brien. I help guide Oracle products through Common Criteria evaluations. Common Criteria is a worldwide, government-backed scheme for testing the security of a product or system. Essentially, you state what security functions your product should be able to perform, then an independent lab evaluates if the product implements these functions reliably and robustly.

Comments  (1)


From the Web

April 2009 Critical Patch Update Released

July 03, 2009 from: The Oracle Global Product Security Blog

Are you running Oracle? Then you need to see this latest set of Critical Patches that could affect the security of your Oracle-backed applications

Comments  (1)


From the Web

SANS Top 25 Most Dangerous Coding Errors

July 03, 2009 from: The Oracle Global Product Security Blog

Bruce Lowenthal, Director of the Oracle Security Alerts Group, discusses the SANS Top 25 Most Dangerous Programming Errors

Comments  (1)


From the Web

Training development staff in secure coding practices pays huge dividends

July 03, 2009 from: The Oracle Global Product Security Blog

I am often asked what it takes to write secure code. In my experience, developers generally cannot prevent introducing security flaws in their code if they don’t know what to watch out for. It is also my experience that people generally, and developers in particular, want to do the right thing - but they need to know what the right thing is.

Comments  (1)


From the Web

Cross-Site Request Forgery – A Significant Threat to Web Applications

July 03, 2009 from: The Oracle Global Product Security Blog

Hi, this is Shaomin Wang. I am a security analyst in Oracle’s Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Cross-Site Request Forgery.

Comments  (1)


From the Web

Mysql security risk?

July 03, 2009 from: hackyourself.net

Michael McLaughlin discusses why using 'IDENTIFIED BY password' in MySQL is the new default behavior and why you should leave it that way.

Comments  (1)


From the Web

Mozilla’s Content Security Policy

July 01, 2009 from: Rsnake's blog at ha.ckers.org

Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous.

Comments  (1)

7fef78c47060974e0b8392e305f0daf0

Securing Apache

June 26, 2009

This is chapter 2 of Ivan Ristic's book on Apache Security. This chapter covers installation and configuration options often overlooked by admins, resulting in an insecure web server deployment

Comments  (5)


From the Web

SQL Injection, eye of the storm

June 23, 2009 from: Jeremiah Grossman's Blog

In 2008 SQL Injection became the leading method of malware distribution, infecting millions of Web pages and foisting browser-based exploits upon unsuspecting visitors. The ramifications to online businesses include data loss, PCI fines, d...

Comments  (1)


From the Web

Legalize It (Hacking GOV and MIL website)

June 23, 2009 from: Jeremiah Grossman's Blog

I’d wager fewer than ten percent of United States .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities. The reasons why are probably the same as in the private sector. Those responsible don’t know or don’t want to know that problems exist.

Comments  (1)


From the Web

Clickjacking 2017

June 23, 2009 from: Jeremiah Grossman's Blog

The future: Long standing Web application security scourges such SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) are finally under control. Remaining buffer overflow issues are considered fossilized evidence of a prior era. Cyber criminals out of necessity have evolved their attack portfolios to include Cli...

Comments  (1)


From the Web

Real-World website vulnerability disclosure & patch timeline

June 23, 2009 from: Jeremiah Grossman's Blog

Protecting large trafficked and high valued websites can be an interesting InfoSec job to say the least. One thing you quickly learn is that you are under constant attack by essentially everyone with every technique they got and all the time.

Comments  (1)


From the Web

8 reasons why website vulnerabilities are not fixed

June 23, 2009 from: Jeremiah Grossman's Blog

I list from Jeremiah Grossman about potentially why so many web application vulnerabilities never get fixed...

Comments  (1)


From the Web

Software Security grew to nearly 500M in 2008

June 23, 2009 from: Jeremiah Grossman's Blog

Gary McGraw (Cigital) published his Software Security annual revenue numbers for 2008. By combining software security tools, Software-as-a-Service providers, and professional services it comes really close to a half billion dollars.

Comments  (0)


From the Web

Website threats and their capabilities

June 23, 2009 from: Jeremiah Grossman's Blog

Vulnerabilities don’t exploit themselves. Someone or something (“threat”) uses an attack vector ( to exploit a vulnerability in an asset, bypassing a control, and causes a technical or business impact.

Comments  (1)


From the Web

Disagree with the Concept or Implementation?

June 23, 2009 from: Jeremiah Grossman's Blog

Web Application Firewalls, Professional Certifications, Website Trust Logos, and Compliance Regulations are contentious topics that spark spirited debates by those for and against their existence.

Comments  (1)


From the Web

Slowloris HTTP DoS

June 19, 2009 from: Rsnake's blog at ha.ckers.org

Robert "RSnake" Hansen discusses a denial of service (DoS) attack against some popular web servers (Apache specifically). His proof of concept code (a working exploit against Apache web servers) takes advantage of connection delays requested by the client

Comments  (1)


From the Web

CWE Top 25 Breakdown - Part 1 of 4

June 11, 2009 from: hackyourself.net

This week, we’ll take a look at the recently published CWE Top 25 Most Dangerous Programming Errors. Since the Top 25 are broken into three main categories, it makes sense to address the list in three separate segments. But first, let’s review what the CWE Top 25 is and its importance.

Comments  (1)