[OWASP-HongKong] Recent Application Security News (Jul/Aug)
Anthony Lai
anthonylai at owasp.org
Mon Aug 21 04:26:33 EDT 2006
Recent Application Security News
Aug 15 - Yes, you have an XSS problem
The Washington Post lists flaws in sites from Verisign, eEye Digital
Security, Cisco Systems F-Secure, Snort.org, National Security Agency,
etc... If you're not sure whether you have XSS problems or not, you
probably do. You're compromising your customer's accounts and data. Should
the Post be publishing live exploits? We don't think so.
URL:
http://blog.washingtonpost.com/securityfix/2006/08/crosssite_scripting_flaws_abou.html
Aug 14 - Ajax threat coming fast
"We've gone from kids screwing around to criminals looking for ways to
make money in less than eight months...Imagine when the same flaws are
used to steal money from financial institutions"
URL: http://www.cio-today.com/story.xhtml?story_id=45124
Aug 11 - HSBC 'vulnerability' all smoke no fire
"I was put at ease the moment I saw that each article was hinting at the
researchers having made an assumption that every target has been infected
with a keylogger. A bit of an unreasonable assumption if you ask me, and I
think at this point it stops being "news" however the vulnerability is
quite interesting..."
URL: http://da.vidnicholson.com/2006/08/analysis-of-hsbc-vulnerability.html
Aug 9 - ModSecurity rocks WAF competition
"In the Forrester report ModSecurity was recognized as "the most widely
deployed web application firewall," with thousands of installations
worldwide."
URL:
http://www.marketwatch.com/news/story/story.aspx?guid=5CF5C1EBCEF64CD18618349227E23AC6&siteid=mktw&dist=nbk
Aug 2 - Michael Howard's code review process
Michael recommends prioritizing, but strangely doesn't use threat modeling
as a way to do it. Still, a great article because... "No one really likes
reviewing source code for security vulnerabilities; it’s slow, tedious,
and mind-numbingly boring. Yet, code review is a critical component of
shipping secure software to customers. Neglecting it isn’t an option."
URL:
http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&TheCat=1001&path=security/2006/v4n4&file=basic.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-hongkong/attachments/20060821/fe4aa655/attachment.bin
More information about the Owasp-hongkong
mailing list