Template:Application Security News


 * Oct 3 - CSRF, the sleeping giant
 * "Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness." (Ed: We're revising the Top 10 for 2007 - feel free to come join us!)


 * Oct 3 - crossdomain.xml witch hunt
 * crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."


 * Oct 2 - Static analysis - an important part of a balanced breakfast
 * "The fact that we can say we do a code review as part of our development process gives [customers] comfort, and it demonstrates the maturity of our risk management process when it comes to code, and the fact that it's part of our overall program."


 * Oct 2 - Fuzz testing in Java
 * "Of course, error handling and verification is ugly, annoying, inconvenient, and thoroughly despised by programmers the world over. Sixty years into the computer age, we still aren't checking basic things like the success of opening a file or whether memory allocation succeeds. Asking programmers to test each byte and every invariant when reading a file seems hopeless -- but failing to do so leaves your programs vulnerable to fuzz."


 * Oct 2 - Data breaches reaching ridiculous levels
 * "Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."


 * Sep 26 - Google hacking makes the NYT
 * "Google acknowledges that its index can be misused. “Search engines reflect what is on the Web,” said Barry Schnitt, a Google spokesman. “We still work to try to prevent and stop exploits and encourage Webmasters to employ best practices and effective security for their Web sites.” On Google’s site you can find tips on how to remove sensitive data from its index, for example."


 * Sep 21 - WAFs not dead says Burton
 * "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked."


 * Older news...