I have released a new document 'Challenges faced by automated web application
security assessment tools' that a few of you
may find interesting.
URL:
http://www.cgisecurity.com/articles/scannerchallenges.shtml
Comments welcome.
- Robert
http://www.cgisecurity.com/ Website Security news, and
I've Just released an article about how the Quality Assurance phase of the
development
cycle can incorporate security testing into a standard test plan, and make it
part
of the regular testing cycle.
Writing Software Security Test Cases: Putting security test cases into your
test plan
http://
> This is great, and something I have incorporated into our own cycle
> previously, as carving out a spot on our team as the "security engineer"
> didn't seem to work. But by creating a process for including security
> testing, abuse cases, etc. I was able to incorporate security without a big
> hi
The Cross-site Request Forgery FAQ has been released to address some of the
common
questions and misconceptions regarding this commonly misunderstood web flaw.
URL: The Cross-site Request Forgery FAQ
http://www.cgisecurity.com/articles/csrf-faq.shtml
Regards,
- Robert
[E
> > URL: The Cross-site Request Forgery FAQ
> > http://www.cgisecurity.com/articles/csrf-faq.shtml
>
> Regarding, "Who discovered CSRF?", the attack is mentioned in section
> 4.3.5 of RFC 2109, which dates back February 1997. Of course, the
> suggested remedies look rather strange today.
I h
> Question is: would it make sense to lobby for disclosure requirements of all
> writes software does, to whatever, and reasons for them, as conditions to
> make
> it fit for sale? Perhaps likewise to be a (or the?) defense against claims
> the
> software is doing things to others' machines wi
I'll be there.
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
>
> How many of the list members are going to RSA? Any plans to get together for
> some coffee?
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List i
> a) the final binaries were the ones infected (very easy to detect (imagine
> if the infected code was actually from 'real' SVN source code and made from
> a 'trusted' developer))
> b) by the speed this was detected the exploit (and the blog page didn't
> give a lot of details about it) must hav
> what do you think? have compliance efforts you know about helped to
> forward software security?
Compliance brings accountability. Without accountability or financial impact
people have
little incentive for putting security on the priority list. I for one welcome
our compliance
overlords.
R
> Gary, may I suggest an alternative response to application firewalls and the
> notion that it is hair-brained? Of course this is true but this list is
> missing a major opportunity to finally calculate an ROI model. If you ask
> yourself, what types of firewalls are pervasively deployed, you w
>
>
> On Wed, 6 Jun 2007, Wietse Venema wrote:
>
> > more and more people, with less and less experience, will be
> > "programming" computer systems.
> >
> > The challenge is to provide environments that allow less experienced
> > people to "program" computer systems without introducing gaping
>
Hello Andy,
> Once an application is released or put into production, what are
> organizations doing to keep the applications secure? As new
Some organizations purchase web application security scanners and perform
periodic
scanning (this could be done by the soc) or use a service such as whi
For starters I believe you misinterpreted my comments on QA. I was in no way
slamming
their abilities. With this in mind comments below.
> Before anyone talks about vulnerabilities to test for, we have to figure ou=
> t what the business cares about and why. What could go wrong? Who cares? Wh=
>
13 matches
Mail list logo