Archived Application Security News

This page is for ARCHIVED application security news stories. Please view the main news page at Application Security News.

Stories

 * Jan 14 2008 - Bruce Schneier will be presenting on "The Economics of Information Security" at OWASP's January meeting.


 * Jun 19 - HP set to buy SPI Dynamics
 * HP will acquire SPI Dynamics, a vendor of dynamic Web application security testing technologies, indicating growing industry understanding that application security should be an integral part of software life cycle platforms.. ..."


 * Jun 6 - IBM to buy Web app security vendor Watchfire
 * IBMs acquisition of Watchfire is a clear signal that Web Application Security is gaining in importance: "IBM liked Watchfire's Web application security software so much it plans to buy the company for an undisclosed sum, it said Wednesday. ..."


 * Apr 21 - Concurrency and porn
 * "First it was porn, now it's privacy - a technical stuff-up on reality show Big Brother's website is said to have exposed the personal details of fans who signed up for its special features. Following reports that visitors to a pirate Big Brother site were sent to a hardcore porn page, it now seems the names and phone numbers of people who registered for the official site were able to be viewed by others"


 * Apr 21 - Does first Vista 0day undermine SDL?
 * Ken van Wyk discusses the importance of process for producing secure software, and notes that attacks on Vista may undermine the general support for Microsoft's approach. Check out Michael Howard's talk from the last OWASP conference for a great discussion on the success of the SDL.


 * Apr 19 - Why the software market is full of lemons
 * Bruce Schneier finally chimes in on an [old OWASP theme] - the problem of assymetric information between software buyers and sellers. He only talks about security products, but the same problem affects all types of software. Check the [Software Facts Label which is an idea for actually doing something to change the game.


 * Apr 10 - "There is no hope"
 * Despite all the good stuff at OWASP, Scott Berinato is giving up. "No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too."


 * Mar 15 - local IE 7 phishing hole
 * Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.


 * Mar 14 - GMail Information Disclosure
 * Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.


 * Mar 8 - Anurag Agarwal's reflection series
 * Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!


 * Mar 2 - Wordpress (popular blog software) backdoored
 * "Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."


 * Mar 1 - the Month of PHP Bugs "formerly known as March"
 * "This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core."


 * Feb 26 - Building Secure Applications: Consistent Logging
 * SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."


 * Feb 26 - Know your Enemy: Web Application Threats
 * A long paper on web application security threats released by honeynet.org. "This paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats."


 * Feb 21 - OWASP Top 10 2007 rc1 feedback
 * Lots of feedback on the new OWASP Top 10. See e.g. on PCI DSS blog with some interesting comments and of course Sylvan von Stuppe's comments on the OWASP Top 10 RC1 can be found here(A7-A8), here(A5-A6), here(A3-A4) and here (A1-A2). Last change to review the document prior to February 28th and provide feedback to the owasp-topten@lists.owasp.org mail list.


 * Feb 21 - Serious Flaw in Google Desktop Prompts Patch
 * "Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software."


 * Feb 05 - Sammy 'MySpace' KamKar Pleads Guilty in Court
 * "The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."


 * Feb 05 - Why Your Organization Must Increase It's Web Application Security Budget
 * "The Web application security threat is a real one. A failure to respond to this threat will result in real risk to any enterprise that stores financial or customer data. While the problem is a serious one, it is not something that cannot be fixed so long as proper attention and budget are allocated to it. Unfortunately, given the unique nature of the problem and its impact on the budgetary process, it will likely require direct intervention by the financial staff."


 * Feb 05 - X-Force Notes Increase in Vulnerabilities. Where are the "X-Men" to fix them?
 * " According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force(R) research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation. "


 * Feb 05 - Rubin Smacks Diebold Once Again
 * "Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland."


 * Jan 23 - Greasemonkey Backdoor Proof of Concept
 * A simple Greasemonkey script that illustrates the potential for abuse by hooking a backdoor to your browser using Javascipt and AJAX techniques.


 * Jan 23 - Web Honeynet Project Announcement
 * The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.


 * '''Jan 22 - Also worth a read:
 * A Rude Awakening, Making Security Rewarding Discovering a Java Application's Security Requirements, Security Startups Make Debut, Source Code Specialist Fortify to Buy Secure Software , Ajax Sniffer - Prrof of concept, Decoding the Google Blacklist, Visual WebGui Announces The Dot.Net Answer To Google's GWT,


 * '''Jan 18 - Don't take security advice from the devil you know!
 * He lies. Especially about security flaws. This article notes an increase in vulnerabilities found in open source packages and concludes that... "For the personal sites and the mom-and-pop stores that rely on the software, it certainly affects them," Martin said. "But larger companies likely aren't affected." Right.


 * Jan 18 - Web Application Security Professionals Survey (Jan. 2007)
 * Jeremiah Grossman just released his (unscientific) survey with lots of very interesting data. Make sure you check out section '11) Top 3 web application security resources' which is a nice database of the most popular vulnerability assessment tools and knowledge resources (#1 was RSnake's Blog, and #2 was OWASP :) )


 * Jan 18 - Hackers attack MoneyGram International server, breach personal info of 80,000 customers
 * A MoneyGram International server has been breached, allowing cybercrooks access to the personal information of nearly 80,000 people. Hackers accessed the server through the web sometime last month, the money-transfer company said in a statement released on Friday.


 * Jan 10 - Vulnerability Disclosure: The Good, the Bad and the Ugly
 * More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?, three good articles: Microsoft: Responsible Vulnerability Disclosure Protects Users, Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’, The Vulnerability Disclosure Game: Are We More Secure? and The Chilling Effect


 * Jan 3 - http://www.gnucitizen.org/blog/danger-danger-danger/ XSS in ALL sites with PDF download
 * Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.


 * Dec 18 - PHP security under scrutiny
 * Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications.


 * Dec 16 - What IS security critical code?
 * "It's likely that in most incidents of people being killed as a result of software bugs (or IT systems bugs), the software wasn't thought to be safety-critical at all. For example, a word-processor failing to recognize that a print request has failed, resulting in a patient not getting a letter giving a hospital appointment. Or someone committing suicide because of an incorrect bank statement." Michael Kay on the xml-dev list, 8/17/2005


 * Dec 14 - JavaScript error handler leaks information
 * An attacker can find out whether you're logged into your favorite website or not. They include a script tag where the src attribute doesn't point to a script, but instead to a page on your favorite websites. Based on the error the script parser generates when trying to parse the HTML of the page that's returned, the attacker can tell whether you're logged in or not. Should extend to access control easily. Protect yourself with CSRF protection.


 * Dec 13 - UCLA spins massive breach
 * Why not just say what measures you've really taken? Are all developers trained? Do you do code review and security testing? "Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid. 'In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,' Davis said in the statement."


 * Dec 10 - MySpace and Apple mess
 * MySpace and Apple show how NOT to handle security incidents (see also How Not to Distribute Security Patches)


 * Nov 28 - JBroFuzz 0.3 Released
 * This version adds a more stable core, length updating for fuzzed POST requests and allows you to specify your own fuzz vectors in a separate file.


 * Dec 2 - Oracle blames security researchers
 * "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the Oracle Software Security Assurance program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?


 * Nov 30 - What? Ajax is secure now?
 * Nice article making the point that Ajax is not inherently insecure. Read it carefully folks - it isn't easy to build a secure Ajax application, just possible. And remember that although the article doesn't mention it, Ajax apps use new parsers and interpreters that haven't been very well tested for security.


 * Nov 30 - Democracy Schlemocracy
 * A paper from NIST argues that touchscreen voting machines are "more vulnerable to undetected programming errors or malicious code" and that "potentially, a single programmer could 'rig' a major election."


 * [[Image:Database_security_comparison.jpg|right|200px]]Nov 28 - Litchfield slams Oracle lack of SDL
 * David Litchfield presents some very compelling evidence that Microsoft's SDL is paying off. A very interesting read. Not surprisingly, Microsoft is gloating a little.


 * Nov 28 - Foreign software - threat or xenophobia?
 * Ira Winkler - "If there is one line of code written overseas, that’s one line too many. Developing it in the U.S. is not perfect, but we are talking about an exponential increase in risk by moving it overseas." John Pescatore - the focus on offshore developers is "xenophobia" but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.


 * Nov 27 - Scanner smackdown results
 * "Last month I got a chance to evaluate the two popular vulnerability assessment tools Webinspect and Appscan and I wanted to share my findings with others..."


 * Nov 27 Malware evolution - third wave coming?
 * "All the events of the third quarter of 2006 lead me to conclude that both the Internet and the field of information security are on the verge of something totally new. I would say that the second stage of both virus and antivirus evolution is now complete. The first stage was during the 1990s, which simple signature detection was enough to combat simple viruses. At this stage, malicious code was not highly technical and did not use complex infection methods."


 * Nov 26 - The security snooze button
 * Great article by Ken van Wyk. He looks at the 41% increase in published software vulnerabilities and points out that there is not a corresponding 41% increase in the amount of software, a 41% more people looking for vulnerabilities, or more researchers looking. He concludes there's a significant shift in profit motive. Caveat browsor.


 * Nov 21 - Why two-factor sucks
 * "More than 90 percent of the participants in several focus groups said they didn't want to use a token to access accounts online or by phone. "The response we got was, 'Don't tell me I have to carry something to get access to my money. It's your job to protect my money, and if you don't do your job I'll find someone who will,'" says Cullinane, who is CISO of Washington Mutual, the nation's largest savings bank. "It was rather startling to get that from them."


 * Nov 13 - Growing interest in securing SDLC
 * "It's becoming an emerging area of interest for enterprises to address application portfolios and review their applications for security. The other angle is, when developing code, making sure that security is taken into consideration throughout the SDLC, instead of just testing during QA prior to GA or prior to releasing to production."


 * Nov 9 - SDL 2008 or bust!
 * "ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business."


 * Nov 7 - JBroFuzz 0.2 Network Protocol Fuzzer Released
 * JBroFuzz is a stateless network protocol fuzzer for penetration tests. Written in Java (exe also available) it provides a number of generators, as well as basic checks involving SQL injection, Cross Site Scripting (XSS), Buffer/Integer Overflows, as well as Format String Errors.


 * Nov 5 - 11.3% Vulnerable to SQL Injection
 * Micheal Sutton experimented with a survey of sites that have a parameter named "id" in the URL. He finds that 11.3% of them cough up a SQL error. "The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing."


 * Nov 1 - Don't blame the browser
 * Client side applications are all intertwined, and a flaw in one may compromise the rest. But don't forget the web applications!


 * Oct 25 - Michael Howard's advice from OWASP AppSec Conference
 * Michael argued convincingly for a comprehensive application security education program first, then use of tools, threat modeling, and code review. His presentation and all the rest are on the conference page


 * Oct 24 - Hackers get organized
 * "Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp. said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone. Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem. It does continue to grow."


 * Oct 19 - MSDN Magazine AppSec Issue
 * Great articles from Michael Howard and crew on Threat Modeling, SSO, Extending SDL, and an interesting article on SQL truncation attacks


 * Oct 19 - Netflix hit with CSRF - who's next?
 * All you did was load a web page - how did that add movies to my Netflix account? Cross-Site Request Forgery attacks are usually as simple as image links to another site. If you're logged in, the attack succeeds. Netflix got burned, but many sites are susceptible to this attack.


 * Oct 17 - Bill Joy gets religion
 * Welcome Bill! "Rather than simply building big walls around their networks, developers must become proactive about security and include it from the beginning of an application's development. They must consider the possible threats to the system and review source code-the software's blueprint-for security flaws, thereby vastly improving overall security."


 * Oct 17 - Marcus Ranum disses IPv6
 * "IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks."


 * Oct 15 - RSnake says IE7 sucks less for XSS
 * Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"


 * Oct 15 - AppSec like global warming...
 * You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow cross-site scripting (14.5 percent), SQL injection (10.9 percent); buffer overflows (10.8 percent) and Web directory path traversal (3 percent).


 * Oct 6 - Ajax is FUD-tastic
 * News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need guidelines and more research, not more FUD.


 * Oct 3 - CSRF, the sleeping giant
 * "Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness." (Ed: We're revising the Top 10 for 2007 - feel free to come join us!)


 * Oct 3 - crossdomain.xml witch hunt
 * crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."


 * Oct 2 - Static analysis - an important part of a balanced breakfast
 * "The fact that we can say we do a code review as part of our development process gives [customers] comfort, and it demonstrates the maturity of our risk management process when it comes to code, and the fact that it's part of our overall program."


 * Oct 2 - Fuzz testing in Java
 * "Of course, error handling and verification is ugly, annoying, inconvenient, and thoroughly despised by programmers the world over. Sixty years into the computer age, we still aren't checking basic things like the success of opening a file or whether memory allocation succeeds. Asking programmers to test each byte and every invariant when reading a file seems hopeless -- but failing to do so leaves your programs vulnerable to fuzz."


 * Oct 2 - Data breaches reaching ridiculous levels
 * "Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size -- such as the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies such as Time Warner and dozens of colleges and universities across the land -- have collectively fumbled 93,754,333 private records."


 * Sep 26 - Google hacking makes the NYT
 * "Google acknowledges that its index can be misused. “Search engines reflect what is on the Web,” said Barry Schnitt, a Google spokesman. “We still work to try to prevent and stop exploits and encourage Webmasters to employ best practices and effective security for their Web sites.” On Google’s site you can find tips on how to remove sensitive data from its index, for example."


 * Sep 21 - WAFs not dead says Burton
 * "The bottom line, though, is that installing a Web application firewall makes sense if you're willing to spend time tuning and understanding the rules. While Web application firewalls may come with some default rule sets, customers said they got the biggest bang when they understood their Web applications and how they worked."


 * Sep 21 - Visa: SQL injection confirmed as compromise leader
 * Visa has analyzed a their actual compromises and concluded that SQL injection is the most problematic application security problem. "A successful SQL injection attack can have serious consequences. SQL injection attacks can result in the crippling of the payment application or an entire e-commerce site."


 * Sep 21 - Ajax more secure? Right.
 * This blog post argues "Ajax applications can be made as highly-secure as the web technologies upon which the Ajax model is based." Even if that was the goal, it misses the point. The complexity and lack of tools for building and testing Ajax applications makes them far more difficult to assure.


 * Sep 21 - Fear of commitment
 * "According to a June 2006 survey of 400 U.S. based software developers that was commissioned by Symantec, an overwhelming 93 percent felt that secure application development was more of a priority now than three years ago. Also 70 percent indicated that their employers emphasize the importance of application security, 74 percent indicated that security was a high priority in their development process, yet only 29 percent stated that security was always part of the development process."


 * Sep 17 - The data are in
 * Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and conclude that browsers are the biggest problem, you need to check it again.


 * Sep 15 - Web flaws race ahead in 2006
 * "Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project."


 * Sep 14 - Gartner says 'customize at your own risk'
 * "Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you."


 * Sep 11 - Developers are the real monoculture
 * Monoculture is a danger to security, but this article points out that the most dangerous monoculture is "not of software but of pervasive carelessness among application developers, system administrators and users—carelessness that persists today."


 * Aug 31 - Red, white, and screwed
 * "We've consulted with all the top computer scientists around the United States on the software security issues and they've all told us one thing: 'It isn't currently possible to create technology that is 100-percent secure and trying to do that would be so cost prohibitive"


 * Aug 30 - Web apps less secure...wait no, more secure
 * "Web applications tend to be written less tightly than other applications," says Alan Paller, director at the SANS Institute...But because the desktop model really isn't any better, and is in some ways worse, "Security will drive people to centralized applications." (There's a peek into Google's security process in this article - verdict: Distributed!)


 * Aug 29 - Personal data exposed on student loan Web site
 * The U.S. Department of Education has disabled its Direct Loan Servicing System, the online payment feature of its Federal Student Aid site, because of a software glitch that exposed the personal data of 21,000 students who borrowed money from the department, said Education Department spokeswoman Jane Glickman.


 * Aug 28 - Secure coding initiatives - Verdict: Don't start with tools
 * Tools give a warped perspective on software security. They overemphasize stuff they're good at finding, and completely miss critical flaws. Get your people and process aligned on secure coding, and then it will be easy to see which tools really help you.


 * Aug 22 - The privacy debacle hall of shame
 * "[The AOL screwup] may have been one of the dumbest privacy debacles of all time, but it certainly wasn't the first. Here are ten other privacy snafus that made the world an unsafer place."


 * Aug 22 - Yahoo touches application security's third rail - encoding
 * "The problem was Yahoo Mail's handling of attachments. By creating an HTML attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code"


 * Aug 22 - Nifty approach to rich Java client testing
 * "The BeanShell provides a convenient means of inspecting and manipulating a Java application during execution. This allows the security tester to bypass security controls on the client and verify the security controls on the server. It also allows for the automation of tedious tests such as brute force testing."


 * Aug 15 - Yes, you have an XSS problem
 * The Washington Post lists flaws in sites from Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, National Security Agency, etc... If you're not sure whether you have Cross-site scripting problems or not, you probably do. You're compromising your customer's accounts and data. Should the Post be publishing live exploits? We don't think so.


 * Aug 14 - Ajax threat coming fast
 * "We've gone from kids screwing around to criminals looking for ways to make money in less than eight months...Imagine when the same flaws are used to steal money from financial institutions"


 * Aug 11 - HSBC 'vulnerability' all smoke no fire
 * "I was put at ease the moment I saw that each article was hinting at the researchers having made an assumption that every target has been infected with a keylogger. A bit of an unreasonable assumption if you ask me, and I think at this point it stops being "news" however the vulnerability is quite interesting..."


 * Aug 9 - ModSecurity rocks WAF competition
 * "In the Forrester report ModSecurity was recognized as "the most widely deployed web application firewall," with thousands of installations worldwide."


 * Aug 2 - Michael Howard's code review process
 * Michael recommends prioritizing, but strangely doesn't use threat modeling as a way to do it. Still, a great article because... "No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option."


 * Jul 31 - PCI revisions - code review is coming
 * "...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.


 * Jul 28 - Major JavaScript vulnerabilty documented
 * "SPI Dynamics has published documentation and a live exploit of a significant javascript flaw. This appears to be a fundemental flaw in the scripting language and it impacts at least all IE browsers."


 * Jul 28 - Web application worms
 * "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."


 * Jul 26 - Government agency wake up call
 * The OWASP Top Ten was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."


 * Jul 24 - Fuzzing comes of age
 * "In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."


 * Jul 20 - PayPal challenges Oracle for longest time-to-fix
 * Daring people to sue for negligence, PayPal ignored a 2004 notification of a "cross site scripting attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."


 * Jul 19 - SQL injection flood reported
 * "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack."


 * Jul 18 - Symantec deflowers Vista
 * "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects...Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."


 * Jul 18 - PCI to require security code reviews
 * "The way the standard reads today, all provisions are treated equally, Litan says. She expects PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews."


 * Jul 18 - Fortify study shows raging storm
 * "On average, 50%-70% of attacks experienced by web applications come from bots and bot networks searching for known vulnerabilities...The effect is much like a storm raging over a landscape – the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit web applications."


 * Jul 18 - Think liability for vendors will work? Try unreliable programming
 * Imagine there was liability for software vendors. They would introduce "an interesting new paradigm of programming. Methods of this school of programming could include: Do something random, procrastination, decoy, blame someone else, and Inject errors in other running programs."


 * Jul 17 - Give offensive coding a try...
 * "Spurious null checks are a symptom of bad code. That’s not to say that null checks are wrong. If a vendor gives you a library that can return null, you’re obliged to check for null. And, if people are passing null all over the place in your code, it makes sense to keep putting some null checks in, but, you know what? That just means that you’re dealing with bad code"


 * Jul 12 - Beware integer overflow in Java
 * Joshua Bloch (of Java Puzzlers fame) discovered this overflow that affects Arrays.binarySearch and any other divide-and-conquer algorithms (probably other languages as well). "The general lesson that I take away from this bug is humility: It is hard to write even the smallest piece of code correctly, and our whole world runs on big, complex pieces of code."


 * Jul 12 - Source code secrecy not a countermeasure
 * Yet another pointless article discussing whether open-source or closed-source is more secure. The truth is that your application should be secure even if an attacker has the source. If you're using a source code control system (and you absolutely should), there are copies of your code all over the place. So get over it - secrecy isn't a countermeasure.


 * Jul 11 - Yankee predicts AAP to replace WAF
 * In a report titled, "Application Assurance Platforms Arise from Web App Firewall Market’s Ashes," Yankee projects overall product revenue in the evolving AAP market to grow to $230 million by 2009. AAP's are predicted to combine the web application firewall, database security, XML security gateway and application traffic management segments.


 * Jul 10 - Even two-factor authentication can be spoofed
 * "The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real."


 * Jul 7 - PCI update will mandate application security
 * "Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. Extensions are aimed at protecting credit card data from emerging Web application security threats."


 * Jul 5 - Even Google has application security issues
 * RSnake writes about XSS, CSRF, and open redirect problems in google.com. "While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however..."


 * Jul 5 - Just because it's AJAX doesn't mean you don't need input validation
 * "Google Web Toolkit's conflation of client-side and server-side code is inherently dangerous. Because you program everything in the Java language, with GWT's abstraction concealing the client/server split, it's easy to be misled into thinking that your client-side code can be trusted at run time. This is a mistake. Any code that executes in a Web browser can be tampered with, or bypassed completely, by a malicious user."


 * Jul 3 - FTC throws Nations Holding into the briar patch
 * This is an outrage. Companies can now continue to play fast and loose with people's data, safe in the knowledge that their only penalty will be to do stuff they ought to be doing anyway. Thanks FTC.


 * Jul 2 - The voodoo economics of code
 * "The six billion people of the world can be divided into two groups: (1) People who know why every good software company ships products with known bugs. (2) People who don't. Those of us in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group 2, perhaps a new hire on the team or even a customer.  They are shocked that any software company would ever ship a product before every last bug is fixed."


 * Jun 26 - PCI update coming
 * "Track data from magnetic strips isn’t necessary to process credit card transactions but is valuable to hackers and identity thieves because it can be used to make counterfeit cards, said Avivah Litan, an analyst at Gartner. The data is often automatically saved by payment applications because developers assumed it was needed. In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the data unprotected while giving the merchant a misplaced sense of security, Visa’s Elliott said."


 * Jun 24 - SOA Security Architect Interviews OWASP Chair Jeff Williams
 * SOA Security Architect interviews Jeff Williams on OWASP and SOA security. Jeff answers questions about SOA security, talks about the limitations of SOA appliances, and the future of WS Security and web services. "They think that they are getting 80% protection, but they really aren’t. I think the false sense of security is the most dangerous risk of using these appliances. The same sort of thing applies to using application scanning technologies."


 * Jun 23 - Citibank wrestles with XSS
 * On the same day that Neosmart makes the ridiculous claim that XSS is not a vulnerability, a hacker has highlighted an XSS flaw in citibank.com and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a vulnerability.


 * Jun 19 - Analyst research discovers that hackers go for low hanging fruit
 * The trend continues - less overall security breaches, and more web related attacks (12%). "Internet-enabled software applications, especially custom applications, present the most common security risk encountered today," said John Andrews, President, Evans Data. "Overall we're witnessing better software security practices early in the software lifecycle, which is positively affecting overall security breaches."


 * Jun 16 - For goodness sakes, don't click on links in email
 * A pretty complete writeup about the exploit of an XSS flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."


 * Jun 16 - When developers go bad...
 * The unbelievable story of what a disgruntled developer can do - "2,000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run. The system was offline for more than a day, and UBS PaineWebber -- which was renamed UBS Wealth Management USA in 2003 -- spent about $3.1 million in assessing and restoring the network. Executives at the company haven't reported how much was lost in business downtime...The agent executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. The Secret Service also allegedly found the source code on two of his four home computers."


 * Jun 15 - SCOMP, STOP, Tmach, Gemsos, MVS, VMS, Trusted Solaris, and OpenBSD seriously put out
 * "Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry...Windows Vista is the first operating system from Microsoft to be built from the ground up using the SDL development model. Every bit of code is scrutinized for Common Criteria Certification and security compliance checkpoints must be met along the way."


 * Jun 14 - Why I hate frameworks
 * "According to our research, what people really needed wasn't a Universal Hammer after all. It's always better to have the right kind of hammer for the job. So, we started selling hammer factories, capable of producing whatever kind of hammers you might be interested in using. All you need to do is staff the hammer factory with workers, activate the machinery, buy the raw materials, pay the utility bills, and PRESTO...you'll have *exactly* the kind of hammer you need in no time flat."


 * Jun 13 - Bad things happen to smart developers
 * "A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that I've found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know. People start thinking, "Because we have smart employees, we have a good development process; we're not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because they're going to occur."


 * Jun 11 - Flash! Reporter says customers might actually want security
 * "...Customers now want more assurance about information security. In the early days, the client-to-server connection for payment was encrypted with SSL, giving the illusion that the transaction was protected. But information security is much more than a requirement to protect credit card details in transit between a client and a server. It is built on three legs: confidentiality, availability and integrity."


 * Jun 5 - Ballmer sneaks in 'security'
 * "All I said anywhere is quality, quality, quality, quality, quality. The betas are just out: Quality, quality. I get an e-mail from a customer who's says 'I'm worried about the following problem with the beta.' That's what betas are about. I say: 'don't worry. Quality, quality. We're just working on quality.' We will ship quality, security, quality. The features set is all there. Now it's all about performance, quality, quality. If I get e-mail 'Should I worry about what you're going to ship if you're forced to ship on blah blah blah?', I say 'quality."


 * Jun 4 - How to irritate users in the name of security
 * "CAPTCHA's flaws are prompting academics, independent computer programmers and some Web companies to craft new variations that they hope will be easier for humans to decipher but harder for computer programs."


 * Jun 2 - "No indication data was misused"...(snicker)
 * 1,000,000 more Americans information can sleep well at night knowing that their information is being safely protected by the free credit monitoring they get. If you're playing fast and loose with people's data, you should get familiar with res ipsa loquitor.


 * Jun 2 - Mitnick blames people
 * "Software is always going to have bugs because there are human beings behind it doing the development. Hopefully, universities teach secure coding practices...Hopefully, there will be an educational process and companies will actually do source code audits before they release their software and also train their people in secure coding practices."


 * Jun 1 - Coders too cool for school?
 * "Keep the flaws out from the beginning and you have bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task."


 * May 29 - Oracle's Davidson blowing steam
 * "The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a tipping point...it is now chief executives who are complaining that what they are getting from their vendor is not acceptable in terms of software assurance." She also argues that Brits make good hackers because they have criminal behavior.


 * May 25 - Custom escaping considered harmful
 * "Applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes and magic_quotes' are particularly unsafe. Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure."


 * May 22 - Oracle teaches developers security
 * "We track the security training completion status of each developer and provide regular reports on training compliance to development management and to senior corporate management to ensure a level of security training is maintained in each organization."