Podcast News

OWASP Podcast News

OWASP NEWS April 2009

OWASP AppSec News
3/18 http://www.gdssecurity.com/l/b/2009/03/17/source-boston-iis7-slides-posted/ Brian Holyfield of Gotham Digital Science posted his slides from SOURCE Boston on IIS7 Security  3/19 http://onelittlewindow.org/blog/?p=188 Way before the Twitter XSS worm, Doug Wilson from the onlittlewindow blog makes some interesting findings on the Twitter.com/XSSExploits page, and the coincidence that he and others were talking about tinyurl and other related issues  3/19 http://blogs.msdn.com/sdl/archive/2009/03/19/why-the-new-sdl-threat-modeling-approach-works.aspx http://blogs.msdn.com/sdl/archive/2009/03/30/speaker-to-suits.aspx Adam Shostack of the Microsoft SDL Blog posts about Threat-modeling and what he refers to as "boundary objects"  3/22 http://securityninja.co.uk/blog/?p=244 The Security Ninja posts some information on the recent release of the OWASP Security Spending Benchmarks Project  3/23 http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx The HP Application Security Center releases SWFScan, a free, new Windows-based tool to help developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform  3/23 http://voices.washingtonpost.com/securityfix/2009/03/web_fraud_20_data_search_tools.html?wprss=securityfix<br \ > Brian Krebs from the Washington Post demonstrates some very scary Web 2.0 websites where thieves can purchase personal data such as social security numbers, mother's maiden names, and other info for rock-bottom prices<br \ > <br \ > 3/24 http://www.theregister.co.uk/2009/03/24/hackersblog_quits/<br \ > John Leyden of The Register reports that the HackersBlog Romanian group responsible for the high-profile SQL injection attacks has disbanded<br \ > <br \ > 3/24 http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html<br \ > SearchSecurity Editor, Robert Westervelt, points to a survey that show that more companies seek third-party web app code review<br \ > <br \ > 3/25 http://www.thespanner.co.uk/2009/03/25/xss-rays/<br \ > Gareth Heyes releases a new tool, XSS Rays, that he built for Microsoft.<br \ > <br \ > 3/25 http://www.lookout.net/2009/03/25/detecting-ill-formed-utf-8-byte-sequences-in-html-content/<br \ > Chris Weber posts about detecting ill-formed UTF8 byte sequences in HTML content<br \ > <br \ > 3/25 http://www.eweek.com/c/a/Security/Dont-Let-Microsoft-SharePoint-Become-a-Security-Blind-Spot-395215/<br \ > eWeek journalist, Brian Prince, writes about Sharepoint as a Security Blind Spot<br \ > <br \ > 3/30 http://www.vnunet.com/vnunet/news/2238961/hacked-page-hauls-estimated-per<br \ > VNUNet wrote an article on search engine optimized web attacks, and numbers on how well these attack pay<br \ > <br \ > 3/30 http://www.cigital.com/justiceleague/2009/03/30/maturity-models-vs-top-10-lists/<br \ > John Steven argues that Top N lists and Maturity Models are good for tracking industry success, but maybe not organizational success<br \ > <br \ > 3/30 http://www.securitycatalyst.com/a-tale-of-two-vendors-or-security-sells/<br \ > Bill Pennington guest-writes on the Security Catalyst blog about how to purchase SaaS<br \ > <br \ > 3/31 http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html<br \ > The Google Online Security Blog announces a templating system that can reduce XSS by way of Auto Context-Aware Escaping<br \ > <br \ > 4/1 http://www.suspekt.org/2009/04/01/the-month-of-java-bugs/<br \ > Look for the Month of Java Bugs for May 2009!<br \ > <br \ > 4/1 http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html<br \ > Buanzo publishes some configuration to aid against PHP Remote File Inclusion attacks using Fail2Ban<br \ > <br \ > 4/2 http://www.securitybalance.com/2009/04/mq-one-of-the-blind-spots/<br \ > Augusto Paes de Barros from the Security Balance blog posts about message queue security<br \ > <br \ > 4/3 http://i8jesus.com/?p=37<br \ > Arshan Dabirsiaghi posts on his blog about Browser scheme/slash quirks<br \ > <br \ > 4/3 http://blogs.technet.com/srd/archive/2009/04/03/the-mshtml-host-security-faq-part-ii-of-ii.aspx<br \ > The Microsoft Security Research & Defense Blog posts about securly hosting MSHTML<br \ > <br \ > 4/3 http://www.greebo.net/2009/04/04/owasp-eu-2009-coming-soon/<br \ > Andrew van der Stock warns that OWASP EU 2009 is coming soon!<br \ > <br \ > 4/4 http://www.lookout.net/2009/04/03/unicode-security-attacks-and-test-cases-normalization-expansion-for-buffer-overflows/<br \ > Chris Weber blogs about Normalization expansion security attacks with Unicode character sets<br \ > <br \ > 4/7 http://michael-coates.blogspot.com/2009/04/ssl-whos-to-blame.html<br \ > Michael Coates talks about SSL and who is to blame: webites, browsers, or users?<br \ > <br \ > 4/7 http://research.zscaler.com/2009/04/gmail-and-html-5.html<br \ > Michael Sutton discusses client-side storage security concerns with GMail, Google Gears, and HTML 5<br \ > <br \ > 4/8 http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=216403548<br \ > Kelly Jackson Higgins of DarkReading wrote an article on "The Rocky Road To More Secure Code". Cory Scott of ABN AMRO was quoted several times in the article, including stating that, "BSIMM and OpenSAMM are a good start for organizations that want to change. It's a maturity model, which isn't necessarily prescriptive tactical advice on what to do. Secure application development needs a supportive process and organizational structure behind it. That's what the two maturity models help outline." <br \ > <br \ > 4/8 http://blog.portswigger.net/2009/04/using-burp-extender.html<br \ > PortSwigger adds some interesting information about using the Burp Extender<br \ > <br \ > 4/9 http://homepages.mcs.vuw.ac.nz/~cseifert/blog/pivot/entry.php?id=86<br \ > Christian Siefert reports that the Microsoft Security Intelligence Report, version 6, has become available. Interesting facts from this report indicate that 1 in 1500 web pages host drive-by-download exploits, according to Microsoft's Live Search detective capabilities<br \ > <br \ > 4/9 http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html<br \ > Michael Coates asks the question, "[which] universities out there are offering classes which address web application security?"<br \ > <br \ > 4/9 http://blogs.msdn.com/sdl/archive/2009/04/09/improving-security-with-url-rewriting.aspx<br \ > Bryan Sullivan talks about improving web application security with URL Rewriting<br \ > <br \ > 4/12 http://www.rationalsurvivability.com/blog/?p=718<br \ > Chris Hoff discusses the Secure Data Connector, or SDC, available in the Google AppEngine service platform<br \ > <br \ > 4/12 http://aboulton.blogspot.com/2009/04/security-assessing-java-rmi-slides.html<br \ > Adam Boulton's OWASP presentation on Security Assessing Java RMI has been made available on his blog<br \ > <br \ > 4/12 http://shiflett.org/blog/2009/apr/a-rev-canonical-http-header<br \ > Chris Shiflett sugggets #revcanonical HTTP Header<br \ > <br \ > 4/12 http://twitter.com/XSSExploits<br \ > Looks like twitter plans to replace xssed and sla.ckers.org<br \ > <br \ > 4/13 http://1raindrop.typepad.com/1_raindrop/2009/04/evolution-of-access-control-models.html<br \ > Gunnar Peterson brings attention to a document from HP Labs on the Evoluation of Access Control Methods.<br \ > <br \ > 4/14 http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/<br \ > The Verizon Business Security Blog posted the results of their 2009 Data Breach Investigation Report. The report indicates that web application attacks are responsible for the largest number, 79 percent, of breached records.<br \ > <br \ > 4/14 http://trustedsignal.blogspot.com/2009/04/fuzzy-wuzzy-webscarab.html<br \ > Dave Hull of TrustedSignal posts a great article on using WebScarab<br \ > <br \ > 4/15 http://www.securescience.net/blog/2009/04/rsa-irony-vulnerability-found-rsa-rsac.html<br \ > Lane James discovers irony in RSA.<br \ > <br \ > 4/16 http://research.zscaler.com/2009/04/anatomy-of-straight-answer.html<br \ > Brenda Larcom of ZScaler Research uses Expectations and Environment to explain why security is such a gray area<br \ > <br \ > 4/16 http://www.informit.com/articles/article.aspx?p=1338343<br \ > http://www.cigital.com/justiceleague/2009/04/16/software-security-2008/<br \ > Gary McGraw uses statistics to show that Software Security has come of age<br \ > <br \ > 4/16 http://blogs.msdn.com/cisg/archive/2009/04/16/this-blog-url-has-changed-please-update-your-readers.aspx<br \ > http://blogs.msdn.com/securitytools/<br \ > CISG is now the Microsoft IT Information Security Tools Team<br \ > <br \ > 4/17 http://research.zscaler.com/2009/04/we-used-to-laugh-at-xss.html<br \ > Michael Sutton discusses history of XSS from Defcon 10 (2002) to the present day (Twitter worm)<br \ > <br \ > 4/17 http://nickcoblentz.blogspot.com/2009/03/application-security-portfolios-part-2.html<br \ > Nick Coblentz shares his work on Application Security Portfolios over Google Docs.<br \ > <br \ > 4/17 http://jeremiahgrossman.blogspot.com/2009/04/software-security-grew-to-nearly-500m.html<br \ > Jeremiah uses McDonalds and Mortons as comparatives for black-box vs. white-box security testing<br \ > <br \ > 4/17 http://jeremiahgrossman.blogspot.com/2009/04/website-threats-and-their-capabilities.html<br \ > OWASP Catalyst announced<br \ > <br \ > 4/17 http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=216600222<br \ > Jericho Forum Issues Best Practices For Secure Cloud Computing<br \ > <br \ > 4/20 http://paco.to/?p=305<br \ > Paco lists 5 reasons for software certifications<br \ > <br \ > 4/20 http://www.greensheet.com/newswire.php?newswire_id=11693<br \ > Qualys, Inc., the leading provider of on demand IT security risk and compliance management solutions, today announced QualysGuard(R) PCI Connect which is the industry's first Software-as-as-Service (SaaS) ecosystem for PCI compliance connecting merchants to multiple partners and security solutions in order to document and meet all 12 requirements for PCI DSS<br \ >