I personally think that AJAX has the potential to create very insecure applications because it pushes the data validation and authorization layers back to the client (i.e. the browser)"AJAX brings 'Back the Rich Client' and all its security problems"Kentaro, on your AJAX application you must
Hi Kevin
Indeed this is somewhat surprising that there is no byte-code
verification
in place, especially for strong typing, since when you think about it,
this is not too different than the "unmanaged" code case.
Well there is some byte coding verification. For example if you
. But that's a terrible tradeoff.)
See my previous post (on this same thread) about this issue, but I think
that .Net is not alone in skipping verification for locally executed code :)
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing
ons (browser based components and
mobile devices), not the complicated,massively interconnected,
feature-rich apps that we have today.
What we need now is focus, energy and commitment to create a business
environment where it is possible (and profitable) the creation,
deployment and maintenance of app
n and past exploitation record; add in the
technologies used, and I will show you where security vulnerabilities
are very likely to exist.
Dinis Cruz
Owasp .Net Project
www.owasp.net
Jeff Williams wrote:
Hi Eric,
I think you've nailed what's really going on here. There's this huge
timelag betwee
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
is not allowed to
perform (amongst other things) direct pointer or stack manipulation, all
type conversions much be valid, and you cannot control the execution
flow the way you can in C++. So basically, Verifiable .Net code is not
able to jump out of the sandbox.
Dinis Cruz
Owasp .Net Project
www.owasp.net
) which I am sure will be very useful and
practical. Also if you are
interested in helping in the
development of SiteGenerator or in its vulnerabilities database, then
contact me directly.
Best regards
Dinis Cruz
Owasp .Net Project
www.owasp.net
in a secure sandbox) we will have trustworthy computing
environments.
thanks,
Andrew
No problem
Hope my explanations make sense
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List
and begin to formulate what SSDL
looks like
through OWASPs eyes.
That's the plan :)
Very soon we (Owasp) should be making an announcement which will talk
about this
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (
, and argue that the desired level
of security (and trustworthiness) can only be achieved via managed
verifiable code.
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions
en up on Microsoft on this issue. I
don't expect nothing major to occur until Vista's failure to deliver a
secure and trustworthy computing environment is obvious to everybody.
The ones that I wish were listening are Novel and the Mono project. The
path to a type-safe platform could start there.
Dinis Cr
(for example on Apache)
Thanks
Best regards
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
understand exactly what is going on.
Best regards
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
of this email or directly
on http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-io-net.html.
Dinis Cruz
Owasp .Net Project
www.owasp.net
Title: Advanced Asp.Net Exploits and Countermeasures
Overview:
In this 2 day course you will push Asp.Net to the limit and will be
shown how Asp .NET
oint of creating and enforcing a airtight security policy if you
can jump strait out of it via a Type Confusion attack?
In fact, I would argue that you can't really say that you have an
'airtight security' policy if the verifier is not enabled!"
Best regards
Dinis Cr
t. Not off. Just my guess though ...
Am I the only one that finds it surprising that such a pillar of Java
Security is not properly known and information about 'who does what'
doesn't seem to be readily available?
Dinis Cruz
Owasp .Net Project
www.owasp.net
changes to the
'Click Once' system made very easy to bypass)
Dinis Cruz
Owasp .Net Project
www.owasp.net
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List
. Here are some links to Mono
and Mono's CAS:
http://www.mono-project.com
(main mono website site)
CAS -
where we stand
Code Access Security in Mono
Mono CAS Wiki
Mono
Security Manager Part I - Using CAS permissions
Hope somebody is listening
Din
. Moderator: TBD
Panelists: Dinis Cruz, OWASP .Net Project Lead and others TBD
The problem is in that last line: Moderator: TBD
Panelists: Dinis Cruz, OWASP .Net Project Lead and others TBD since at the moment it is only me :)
So I am doing this public call for panelists in the hope that I will find
. Eventually we will need to move to the Sandboxing
model, but I won't start the thread again :)
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
On 12/14/06, Kenneth Van Wyk [EMAIL PROTECTED] wrote:
I guess this falls in to the you can lead a horse to water, but you can't
make him drink
) to disclose the
vulnerabilities that they know exist in their products (maybe in a format
similar to http://research.eeye.com/html/advisories/upcoming/), we will have
a good picture of what is really going on.
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
On 1/24/07, pete werner [EMAIL PROTECTED
Or read the transcript here:
http://www.nxtgenug.net/Interview.aspx?InterviewID=146
Btw, NxtGenUg is a great bunch of guys, so for the ones of you in the UK
(and interested in .NET), you should participate in their events.
As always, feedback is very welcomed
Dinis Cruz
Chief OWASP Evangelist
nice, the business model is evolving.
But this is still a very 'inefficient' attack since:
a) the final binaries were the ones infected (very easy to detect (imagine
if the infected code was actually from 'real' SVN source code and made from
a 'trusted' developer))
b) by the speed this was
free to contact me.
Best regards
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
---
For Immediate Release
*OWASP Spring Of Code 2007 sponsorship initiative and Membership
vulnerabilities (aka SQL Injection) but very hard for
'Business Logic Vulnerabilities' (should this user be accessing this data or
making this transaction?')
This is why I jokingly said ' currently WAFs don't protect against layer 7
attacks, they only protect from Layer 7 1/2 attacks :)
Dinis Cruz
Chief OWASP
they will not demand more
secure systems.
So its good news, we are still safe, since the Risk is quite low :)
Btw, at OWASP we are trying to organize an OWASP Day to coincide with the
Global Security Week. See http://www.owasp.org/index.php/OWASP_Day for more
details and please feel free to get involved :)
Dinis
Hi, here is an interview that I gave to Dr.Dobb's portal website where I
talk about .NET, OWASP and continue to bang on the Sandbox Drum :)
http://www.ddj.com/security/202300130
Let me know your thoughts on it
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
) will be a very uncomfortable reading for a lot of people,
but that might actually make some things change (for the better I hope)
Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
On 10/9/07, Jeremiah Grossman [EMAIL PROTECTED] wrote:
Earlier this morning I posted several questions to my blog
://www.ouncelabs.com for kindly providing the
WebEx facilities.
-
If you have any problems connecting to the WebEx session, please contact
Kate Hartman ([EMAIL PROTECTED])
See you there,
Dinis Cruz Paulo Coimbra
___
Secure Coding mailing list (SC-L) SC-L
only mean anything on partially-trusted environment (i.e. non-full trust
applications).
Dinis Cruz
On Sat, Nov 22, 2008 at 10:24 PM, Romain Gaucher [EMAIL PROTECTED]wrote:
All,
The NSA has just unclassified a 300 pages document about .NET 2.0 security
http://www.nsa.gov/snac/app/I731-008R
reading my post) you have further comments, ideas or
worries about this OWASP 'activity' :)
Dinis Cruz
OWASP Board Member
On Wed, Sep 16, 2009 at 7:53 PM, Eric Dalci eric_da...@yahoo.fr wrote:
SC-L,
The Owasp Northern Virginia chapter is pleased to invite you to its
next session on *Thursday
...) to embrace O2, and write the converters
from/to their file formats.*
Thanks
Dinis Cruz
On Mon, Nov 16, 2009 at 2:16 PM, McGovern, James F. (eBusiness)
james.mcgov...@thehartford.com wrote:
I spent some time over the weekend looking at the Ounce Findings file
(OZASMT) and wonder
Error
Handling from Spring, e) use Logging from ESAPI, etc...)*
*
*
*Thanks*
*
*
*Dinis Cruz*
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
-based decisions'.
Dinis Cruz
2010/1/12 Jim Manico jim.man...@owasp.org
Very well said.
On this note, I think we may wish to consider formally splitting the
interfaces from the reference implementation. We could then build a test
framework that's tests those interfaces - so we can verify
others,
since we never know where it will happen next.
Please join us at the OWASP for Charities project, and in the short term in
supporting the Haiti relief effort.
Thanks
Dinis Cruz
OWASP Board Member
-- Forwarded message --
From: Kate Hartmann kate.hartm...@owasp.org
Date
I'll be there and am looking forward to seeing it
Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop
giving developers PDFs/badometers , c) create security Labels for APIs/Apps
and d) use open source tools like the O2 Platform (and ThreadFix) to
integrate+glue the
37 matches
Mail list logo