Web Application Security Newsletter - June 2006
A MESSAGE FROM THE EDITOR - As we travel around the U.S. delivering our Hackinars™, we find more and more companies concerned with the dangers of "hackers" and the security risks they impose. Hackers aren't limited to large corporations any longer and our awareness of identity theft, insecure sites and phishing, from a consumers' perspective needs to keep pace. Everywhere we go, via the Internet, we are at risk of having our identities stolen, our bank accounts wiped clean or sensitive information made available while we are unaware. These avenues of information, shopping, and banking at our fingertips, definitely have their place in easing our ever increasing demands by making many things available to us quickly and conveniently. But, convenience without security is not a good option. Do you wonder how many of the sites you frequent on a daily basis, with your login and password under the guise of being "secure", have been truly secure? Sometimes, we just don't know, what we don't know. ---Please send your comments or feedback to editor@cenzic.com.
1. Credit card security rules to get update
New rules reflect rising incidence of application-level attacks
New PCI rules respond to the increasing incidence of application-level attacks while allowing merchants alternatives to data encryption. The proposed update will require, by mid-2008, that merchants scan payment software for vulnerabilities. Current PCI rules only require validation of a secure network. Critics believe that relaxing encryption requirements might hurt consumer data security. Retailers who are not in compliance with the PCI standard face possible penalties, including fines.
Read
More
2. SSL-enabled Web sites do not protect applications
Web server applications must be secure
While SSL provides protection for users against attacks such as phishing, Web server applications are still vulnerable. Although SSL plays a critical role in protecting data in transit to the server, measures should be taken to secure the Web server. An SSL-enabled Web site does not protect the server from attacks such as cross-site scripting, SQL injection, and buffer overflows. Good patch management and secure coding techniques are critical.
Read
More
3. Oracle exec hits out at 'patch' mentality
Unreliable software: "a national security issue"
Speaking at the WWW2006 conference, Oracle's CSO blasts the software industry, saying that it is so plagued with buggy products that "you wouldn't get on a plane built by software developers." Davidson faults the industry's lack of training in the areas of safety, security, and reliability and a culture of "patch, patch, patch," at a cost to businesses of $59 billion. At a tipping point, the business of software has become a national security issue with the possibility of regulation.
Read
More
4. Keep your Web applications secure
Web-based applications: a portal of choice for mischief
Web application security is often overlooked even though companies take other precautions such as scanning their systems for vulnerabilities. When relying solely on system security analysis of the Web platform, Web server applications can still be vulnerable to a variety of attacks. If not secured, Web-based applications provide opportunity for illegal entrance to an organization's network. Be aware of the top three Web application security flaws. Learn about how these attacks occur and how you can strengthen your network security armor to prevent potentially harmful intrusions.
Read
More
5. Preventing blind SQL injection attacks
Five best practices to lessen vulnerability
Although most security professionals are familiar with SQL injection attacks, they might be unaware that the usual preventative measures still leave their applications vulnerable to blind SQL injection attacks. The distinction between these two types of attacks is discussed and why the suppression of error messages is ineffective. There are five measures you can use to protect your organization's applications against both kinds of attacks.
Read
More
6. Don't Just Meet the Minimum Security Standards. Create New and Better Practices!
Hands-on training can provide a path to more secure code
Although developers are an integral part of a company's security system, many still lack education about information security attacks, such as what they are, how they occur, and how to prevent them. Organizations are urged to move beyond meeting current standards and best practices by providing hands-on training in attacking applications. Through direct experience developers can begin integrating defense mechanisms into their code. A hands-on approach can be critical to eventually making all code more secure.
Read
More
This is spamtrap ID, so please do not send email to this address
|
