Web Application Security Newsletter -
February 2008
Editors Note- Web application security is certainly coming to the forefront of many organizations and industry associations. As hacking at the Web application layer continues, corporations and government agencies are getting a wake-up call. Regulatory standards and brand protection seem to be the main drivers for new initiatives in application security. In this newsletter we have highlighted some new developments and critical news relating to Web applications security including new Ajax threats, enormous costs resulting from a breach, and SANS institute's new list that highlights Web application security as one of the top three threats. We have seen companies make more progress in launching an initiative to start testing and securing their Web applications. We believe that with more awareness and education, Application security will become one of the key milestones for many corporations in 2008.
1. Ajax security concerns you need to be aware of
As more enterprises move toward Ajax and Web 2.0 applications, developers are well advised to gain a thorough understanding of three potential menaces in particular. Among other security pitfalls, cross-site request forgery (CSRF), JavaScript hijacking, and cross-site scripting (XSS) have become more prevalent in the age of Ajax and Web 2.0. According to one expert, allowing scripts into your Web pages from an untrustworthy party puts you at risk for a XSS attack. Read about these potential threats and some tips for protecting your applications.
Read
More
2. One year later: Five takeaways from the TJX breach
It all began in mid-2005, with system intrusions at two Marshalls stores in Miami. For 18 months, the intrusions remained undetected, as criminals downloaded 80 GB of cardholder data. Eventually, TJX confirmed that at least 45.6 million customer card numbers were stolen. Aside from TJX becoming something of a poster child for bad digital security practices, the incident brings to light five takeaways for security managers.
Read
More
3. The SANS Institute's 'top ten cyber security menaces for 2008'
Twelve cyber security SANS Institute Veterans recently met to compile a list of the attacks most likely to cause substantial damage this year. Website attacks, botnets, and cyber espionage efforts by organized crime networks hold the top three positions. It should be no surprise that web application security exploits make the top ten list, with many websites still containing cross-site scripting, SQL injection, and other vulnerabilities. Web 2.0 applications are vulnerable due to user-supplied data. It is predicted by these experts that Web 2.0 vulnerabilities will be added to traditional programming flaws, resulting in a growing number of web application attacks.
Read
More
4. When it comes to security, chaos may be your friend!
Contrary to common thinking, an orderly and well-organized security system may not always be the best - Security systems and security teams are sometimes more vulnerable to attacks because they are predictable. Predictability becomes their weakness, giving attackers a chance to exploit the predictable security system behaviors and stay one step ahead. Evasion mechanisms have also evolved from simple compression and encryption algorithms that obfuscate the code to sophisticated polymorphic designs and self-mutating code that constantly create new variants.
Read
More
5. Drive-By Pharming Now A Reality
The way it was - home broadband routers' DNS could be changed if someone with a default router password surfed to an attacker's website. Fast forward to the new, more menacing version - an attacker does not need a password at all to exploit this flaw. What's really frightening is that once the DNS changes are made, the attacker is in control of where a user goes on the Internet through an unnamed brand router. Naturally, banks and other financial sites are popular travel destinations for the bad guys.
Read
More
|
