Template:Application Security News


 * Jul 31 - PCI revisions - code review is coming
 * "...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.


 * Jul 28 - Web application worms
 * "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."


 * Jul 26 - Government agency wake up call
 * The OWASP Top Ten was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."


 * Jul 24 - Fuzzing comes of age
 * "In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."


 * Older news...