Application Security News

Revision as of 02:29, 18 September 2006 by Anthonylai (Talk | contribs)

Jump to: navigation, search

This page is for people to post application security news stories. Stories discussing the importance of application security, influential incidents, trends, metrics, or success stories are encouraged. This page is monitored, and particularly important stories will be copied to the front page. If you have comments about the stories, please use the "discussion" page.

Please post new items at the top of the list using the following format:

Mon ## - Snarky headline
Comment or "Quote"


Sep 17 - The data are in
Well of course 21.5% of reported vulnerabilities are XSS. They're very easy to find and every web app has them. (Prove yours doesn't - seriously). Note: If you check this data and conclude that browsers are the biggest problem, you need to check it again.
Sep 15 - Web flaws race ahead in 2006
"Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project."
Sep 14 - Gartner says 'customize at your own risk'
"Customization has created custom vulnerabilities. Custom code does not undergo the same QA testing as commercial code does. All major applications [need] custom code and this is one of the biggest issues facing application security. But what is even worse about this is any vulnerability you have in your system is yours and no one else will find it but you."
Sep 11 - Developers are the real monoculture
Monoculture is a danger to security, but this article points out that the most dangerous monoculture is "not of software but of pervasive carelessness among application developers, system administrators and users—carelessness that persists today."
Aug 31 - Red, white, and screwed
"We've consulted with all the top computer scientists around the United States on the software security issues and they've all told us one thing: 'It isn't currently possible to create technology that is 100-percent secure and trying to do that would be so cost prohibitive"
Aug 30 - Web apps less secure...wait no, more secure
"Web applications tend to be written less tightly than other applications," says Alan Paller, director at the SANS Institute...But because the desktop model really isn't any better, and is in some ways worse, "Security will drive people to centralized applications." (There's a peek into Google's security process in this article - verdict: Distributed!)
Aug 29 - Personal data exposed on student loan Web site
The U.S. Department of Education has disabled its Direct Loan Servicing System, the online payment feature of its Federal Student Aid site, because of a software glitch that exposed the personal data of 21,000 students who borrowed money from the department, said Education Department spokeswoman Jane Glickman.
Aug 28 - Secure coding initiatives - Verdict: Don't start with tools
Tools give a warped perspective on software security. They overemphasize stuff they're good at finding, and completely miss critical flaws. Get your people and process aligned on secure coding, and then it will be easy to see which tools really help you.
Aug 22 - The privacy debacle hall of shame
"[The AOL screwup] may have been one of the dumbest privacy debacles of all time, but it certainly wasn't the first. Here are ten other privacy snafus that made the world an unsafer place."
Aug 22 - Yahoo touches application security's third rail - encoding
"The problem was Yahoo Mail's handling of attachments. By creating an HTML attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code"
Aug 22 - Nifty approach to rich Javaclient testing
"The BeanShell provides a convenient means of inspecting and manipulating a Java application during execution. This allows the security tester to bypass security controls on the client and verify the security controls on the server. It also allows for the automation of tedious tests such as brute force testing."
Aug 15 - Yes, you have an XSS problem
The Washington Post lists flaws in sites from Verisign, eEye Digital Security, Cisco Systems F-Secure,, National Security Agency, etc... If you're not sure whether you have XSS problems or not, you probably do. You're compromising your customer's accounts and data. Should the Post be publishing live exploits? We don't think so.
Aug 14 - Ajax threat coming fast
"We've gone from kids screwing around to criminals looking for ways to make money in less than eight months...Imagine when the same flaws are used to steal money from financial institutions"
Aug 11 - HSBC 'vulnerability' all smoke no fire
"I was put at ease the moment I saw that each article was hinting at the researchers having made an assumption that every target has been infected with a keylogger. A bit of an unreasonable assumption if you ask me, and I think at this point it stops being "news" however the vulnerability is quite interesting..."
Aug 9 - ModSecurity rocks WAF competition
"In the Forrester report ModSecurity was recognized as "the most widely deployed web application firewall," with thousands of installations worldwide."
Aug 2 - Michael Howard's code review process
Michael recommends prioritizing, but strangely doesn't use threat modeling as a way to do it. Still, a great article because... "No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option."
Jul 31 - PCI revisions - code review is coming
"...PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.
Jul 28 - Major JavaScript vulnerabilty documented
"SPI Dynamics has published documentation and a live exploit of a significant javascript flaw. This appears to be a fundemental flaw in the scripting language and it impacts at least all IE browsers."
Jul 28 - Web application worms
"We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."
Jul 26 - Government agency wake up call
The OWASP Top Ten was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."
Jul 24 - Fuzzing comes of age
"In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."
Jul 20 - PayPal challenges Oracle for longest time-to-fix
Daring people to sue for negligence, PayPal ignored a 2004 notification of a "cross site scripting attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."
Jul 19 - SQL injection flood reported
"From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack."
Jul 18 - Symantec deflowers Vista
"Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects...Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."
Jul 18 - PCI to require security code reviews
"The way the standard reads today, all provisions are treated equally, Litan says. She expects PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall. The upgraded standard also is expected to contain new provisions for conducting software code reviews."
Jul 18 - Fortify study shows raging storm
"On average, 50%-70% of attacks experienced by web applications come from bots and bot networks searching for known vulnerabilities...The effect is much like a storm raging over a landscape – the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit web applications."
Jul 18 - Think liability for vendors will work? Try unreliable programming
Imagine there was liability for software vendors. They would introduce "an interesting new paradigm of programming. Methods of this school of programming could include: Do something random, procrastination, decoy, blame someone else, and Inject errors in other running programs."
Jul 17 - Give offensive coding a try...
"Spurious null checks are a symptom of bad code. That’s not to say that null checks are wrong. If a vendor gives you a library that can return null, you’re obliged to check for null. And, if people are passing null all over the place in your code, it makes sense to keep putting some null checks in, but, you know what? That just means that you’re dealing with bad code"
Jul 12 - Beware integer overflow in Java
Joshua Bloch (of Java Puzzlers fame) discovered this overflow that affects Arrays.binarySearch() and any other divide-and-conquer algorithms (probably other languages as well). "The general lesson that I take away from this bug is humility: It is hard to write even the smallest piece of code correctly, and our whole world runs on big, complex pieces of code."
Jul 12 - Source code secrecy not a countermeasure
Yet another pointless article discussing whether open-source or closed-source is more secure. The truth is that your application should be secure even if an attacker has the source. If you're using a source code control system (and you absolutely should), there are copies of your code all over the place. So get over it - secrecy isn't a countermeasure.
Jul 11 - Yankee predicts AAP to replace WAF
In a report titled, "Application Assurance Platforms Arise from Web App Firewall Market’s Ashes," Yankee projects overall product revenue in the evolving AAP market to grow to $230 million by 2009. AAP's are predicted to combine the web application firewall, database security, XML security gateway and application traffic management segments.
Jul 10 - Even two-factor authentication can be spoofed
"The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real."
Jul 7 - PCI update will mandate application security
"Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. Extensions are aimed at protecting credit card data from emerging Web application security threats."
Jul 5 - Even Google has application security issues
RSnake writes about XSS, CSRF, and open redirect problems in "While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however..."
Jul 5 - Just because it's AJAX doesn't mean you don't need input validation
"Google Web Toolkit's conflation of client-side and server-side code is inherently dangerous. Because you program everything in the Java language, with GWT's abstraction concealing the client/server split, it's easy to be misled into thinking that your client-side code can be trusted at run time. This is a mistake. Any code that executes in a Web browser can be tampered with, or bypassed completely, by a malicious user."
Jul 3 - FTC throws Nations Holding into the briar patch
This is an outrage. Companies can now continue to play fast and loose with people's data, safe in the knowledge that their only penalty will be to do stuff they ought to be doing anyway. Thanks FTC.
Jul 2 - The voodoo economics of code
"The six billion people of the world can be divided into two groups: (1) People who know why every good software company ships products with known bugs. (2) People who don't. Those of us in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group 2, perhaps a new hire on the team or even a customer. They are shocked that any software company would ever ship a product before every last bug is fixed."
Jun 26 - PCI update coming
"Track data from magnetic strips isn’t necessary to process credit card transactions but is valuable to hackers and identity thieves because it can be used to make counterfeit cards, said Avivah Litan, an analyst at Gartner. The data is often automatically saved by payment applications because developers assumed it was needed. In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the data unprotected while giving the merchant a misplaced sense of security, Visa’s Elliott said."
Jun 24 - SOA Security Architect Interviews OWASP Chair Jeff Williams
SOA Security Architect interviews Jeff Williams on OWASP and SOA security. Jeff answers questions about SOA security, talks about the limitations of SOA appliances, and the future of WS Security and web services. "They think that they are getting 80% protection, but they really aren’t. I think the false sense of security is the most dangerous risk of using these appliances. The same sort of thing applies to using application scanning technologies."
Jun 23 - Citibank wrestles with XSS
On the same day that Neosmart makes the ridiculous claim that XSS is not a vulnerability, a hacker has highlighted an XSS flaw in and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a vulnerability.
Jun 19 - Analyst research discovers that hackers go for low hanging fruit
The trend continues - less overall security breaches, and more web related attacks (12%). "Internet-enabled software applications, especially custom applications, present the most common security risk encountered today," said John Andrews, President, Evans Data. "Overall we're witnessing better software security practices early in the software lifecycle, which is positively affecting overall security breaches."
Jun 16 - For goodness sakes, don't click on links in email
A pretty complete writeup about the exploit of an XSS flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."
Jun 16 - When developers go bad...
The unbelievable story of what a disgruntled developer can do - "2,000 of the company's servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run. The system was offline for more than a day, and UBS PaineWebber -- which was renamed UBS Wealth Management USA in 2003 -- spent about $3.1 million in assessing and restoring the network. Executives at the company haven't reported how much was lost in business downtime...The agent executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. The Secret Service also allegedly found the source code on two of his four home computers."
Jun 15 - SCOMP, STOP, Tmach, Gemsos, MVS, VMS, Trusted Solaris, and OpenBSD seriously put out
"Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry...Windows Vista is the first operating system from Microsoft to be built from the ground up using the SDL development model. Every bit of code is scrutinized for Common Criteria Certification and security compliance checkpoints must be met along the way."
Jun 14 - Why I hate frameworks
"According to our research, what people really needed wasn't a Universal Hammer after all. It's always better to have the right kind of hammer for the job. So, we started selling hammer factories, capable of producing whatever kind of hammers you might be interested in using. All you need to do is staff the hammer factory with workers, activate the machinery, buy the raw materials, pay the utility bills, and'll have *exactly* the kind of hammer you need in no time flat."
Jun 13 - Bad things happen to smart developers
"A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that I've found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know. People start thinking, "Because we have smart employees, we have a good development process; we're not going to have stupid bugs." But no. Everybody, every process, every person makes stupid mistakes. It just happens. The question is, What do you do to find and eliminate your stupid mistakes after they occur? Because they're going to occur."
Jun 11 - Flash! Reporter says customers might actually want security
"...Customers now want more assurance about information security. In the early days, the client-to-server connection for payment was encrypted with SSL, giving the illusion that the transaction was protected. But information security is much more than a requirement to protect credit card details in transit between a client and a server. It is built on three legs: confidentiality, availability and integrity."
Jun 5 - Ballmer sneaks in 'security'
"All I said anywhere is quality, quality, quality, quality, quality. The betas are just out: Quality, quality. I get an e-mail from a customer who's says 'I'm worried about the following problem with the beta.' That's what betas are about. I say: 'don't worry. Quality, quality. We're just working on quality.' We will ship quality, security, quality. The features set is all there. Now it's all about performance, quality, quality. If I get e-mail 'Should I worry about what you're going to ship if you're forced to ship on blah blah blah?', I say 'quality."
Jun 4 - How to irritate users in the name of security
"CAPTCHA's flaws are prompting academics, independent computer programmers and some Web companies to craft new variations that they hope will be easier for humans to decipher but harder for computer programs."
Jun 2 - "No indication data was misused"...(snicker)
1,000,000 more Americans information can sleep well at night knowing that their information is being safely protected by the free credit monitoring they get. If you're playing fast and loose with people's data, you should get familiar with res ipsa loquitor.
Jun 2 - Mitnick blames people
"Software is always going to have bugs because there are human beings behind it doing the development. Hopefully, universities teach secure coding practices...Hopefully, there will be an educational process and companies will actually do source code audits before they release their software and also train their people in secure coding practices."
Jun 1 - Coders too cool for school?
"Keep the flaws out from the beginning and you have bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task."
May 29 - Oracle's Davidson blowing steam
"The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a tipping is now chief executives who are complaining that what they are getting from their vendor is not acceptable in terms of software assurance." She also argues that Brits make good hackers because they have criminal behavior.
May 25 - Custom escaping considered harmful
"Applications using 'ad-hoc methods to "escape" strings going into the database, such as regexes, or PHP3's addslashes() and magic_quotes' are particularly unsafe. Since these bypass database-specific code for safe handling of strings, many such applications will need to be re-written to become secure."
May 22 - Oracle teaches developers security
"We track the security training completion status of each developer and provide regular reports on training compliance to development management and to senior corporate management to ensure a level of security training is maintained in each organization."