Articles

There’s more to Web security than meets the eye

February 2nd, 2012

 - When we talk about Web security, we typically think about the common OWASP-type elements: (continue reading...)

To validate or not, is that the question?

January 19th, 2012

 - Recently, a project manager I work with asked me if I had manually validated a (continue reading...)

The critical Web-based systems that are going untested and unsecured

January 5th, 2012

 - I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is (continue reading...)

Securing FTP Running on Your Web Server

December 23rd, 2011

 - I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted (continue reading...)

Good Web Security Tools and Why They Matter

December 14th, 2011

 - Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. (continue reading...)

Why You Need Intruder Lockout

December 1st, 2011

 - It’s a very predictable web security flaw — in fact, it’s something I find in the majority of my web security assessments: the lack of intruder (continue reading...)

Don’t Forget Your Marketing Website Security

November 9th, 2011

 - I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the (continue reading...)

Why people violate security policies

November 2nd, 2011

 - Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to (continue reading...)

Not All Web Vulnerability Scans Are Created Equal

October 27th, 2011

 - Recently a client of mine sent over the results of a web vulnerability scan that one of their customers had run against their production (continue reading...)

VIDEO: How Cross-Site Scripting (XSS) Works

October 12th, 2011

 - XSS vulnerabilities (Cross-Site Scripting vulnerabilities) are often overshadowed by their big cousin, the infamous SQL Injection. This does not (continue reading...)

Improving Web Security by Working With What You’ve Got

October 5th, 2011

 - As I wrote about in a previous post, we’re in the era of (continue reading...)

Explaining the “why” of Web application security

September 29th, 2011

 - Looking at the bigger picture of application security it seems that no one else really hears us. Sure, product managers, marketing, legal, HR and (continue reading...)

SQL Injection – The Web Flaw That Keeps on Giving

September 22nd, 2011

 - It’s hard to believe, but SQL injection as we know it has been around for 13 years. Yet, SQL (continue reading...)

Full Disclosure – 20 high profile sites vulnerable to XSS attacks

September 12th, 2011

 - 
On Thursday morning a post appeared on the popular Full Disclosure Internet discussion group listing XSS vulnerabilities in no less than 20 high profile websites. Amongst the vulnerable are McDonalds, IEEE Explore, Harvard University, and (continue reading...)

“Time to market” no longer the security excuse

September 9th, 2011

 - If you’ve heard it once you’ve probably heard it a thousand times: time to market is critical. Indeed, when it comes to software development, many business (continue reading...)

Getting employees on your side to improve Web security

September 1st, 2011

 - We often hear about “disgruntled workers” wreaking havoc on computer systems and sensitive information. Interestingly we never hear about what I call “ (continue reading...)

US Police Servers Breached in New Anonymous Attack

August 16th, 2011

 - On the 31st of July 2011, the system administrator of Brooks-Jeffrey Marketing (BJM) was working on his newly upgraded servers. At exactly the same time a hacker was slowly sniffing his way through the same systems and (continue reading...)

Anonymous hack US Department of Defence – Analysis of the Attack

August 4th, 2011

 - On the 12th of July 2011, Booz Allen Hamilton the largest U.S. military defence contractor admitted that they had just suffered a very serious security breach, at the hands of hacktivist group AntiSec.
Operation Anti-Security (AntiSec) is a (continue reading...)

VIDEO: SQL Injection tutorial

July 25th, 2011

 - SQL Injection is perhaps one of the most common application layer attack techniques used today, mainly used by malicious users to steal (continue reading...)

Properly Scoping your Web Security Assessments

July 18th, 2011

 - I’ve heard experts in time management say that one minute of planning (continue reading...)

Copyright © 2012 The Security Blog. All rights reserved.