|
|
Front Page News
-
|
Static code analysis failures are costing enterprises money and reputation. White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept: Machines do not execute source code, they execute...
|
-
|
It's a classic problem of which came first... the chicken or the egg? politics or corruption? security or compliance? While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some...
|
-
|
It's 2:34am, local time. You're snoring up a storm after a hard day at the office. You've patched all your servers, your lockdown scripts have been verified, and your IDS is humming along perfectly. Oh, and by the way, someone named "R0kk1t"...
|
-
|
For those of you who keep up with the PCI DSS standard, the coucil today has issued an update titled: Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified . The standard item 6.6 has been further clarified in one of...
|
-
|
It's one of those obvious things. A defect is a defect, right? Whether the airbag is faulty, or the gas cap doesn't hold pressure... a defect is a defect. The strange thing is - it hasn't been that way, and still isn't that way, in most...
|
-
|
1) SAP Internet Transaction Server Multiple Cross-Site Scripting Vulnerabilities SAP Internet Transaction Server is susceptible to multiple instances of Cross-Site Scripting. If exploited, these vulnerabilities could give an attacker the means to perform...
|
-
|
1) IBM Lotus Expeditor URI Handler Command Execution Vulnerability IBM Lotus Expeditor is susceptible to a remote command-execution vulnerability because user-supplied input is not properly sanitized. Attackers who successfully exploit this issue can...
|
-
|
1) F5 BIG-IP Web Management Interface 'NEW_VALUE' Parameter Remote Code Injection Vulnerability F5 BIG-IP Web Management Interface is susceptible to a remote code injection vulnerability. Attackers who successfully exploit this vulnerability could...
|
-
|
Introducing HP QAInspect 5.0 HP QAInspect completes the third pillar of Application Lifecycle Optimization. Does it work? Does it perform? Is it secure? Built on the foundation of the award-winning application scanning technology in HP WebInspect, QAInspect...
|
-
|
Over the last 8 years in IT Security, I've had at least a professional interest in the idea of penetration testing and the opinion of this service has evolved as the IT Security market niche matures and grows. I wanted to take a minute to discuss...
|
-
|
It's the words that keep IT Security Managers up at night - "We have a problem, I think we've been hacked". Of course, there are few possible responses... Acknowledge Responsibly - You can acknowledge what has happened, open an investigation,...
|
-
|
1) Webutil 'webutil.pl' Multiple Remote Command Execution Vulnerabilities Webutil is susceptible to multiple command execution vulnerabilities which remote attackers can leverage to execute arbitrary commands. Successful exploitation can lead...
|
-
|
Our Ajax Security book from Addison Wesley has been published! By now I'm sure everyone is tried of me talking about the book and its merits, so let's see what some of experts in the web security space are saying about it: Andrew van der Stock...
|
-
|
Netcraft is reporting today about a phishing attack leveraging XSS against an Italian bank. From the article (emphasis mine) An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to...
|
-
|
Introducing HP DevInspect 5.0 HP DevInspect extends the reach of HP’s Application Lifecycle Optimization portfolio into product development. Combining our award-winning dynamic application scanning technology with static code analysis, HP DevInspect...
|
-
|
First, let me say thanks for clicking and taking a minute to read my column. I hope to keep your attention while teaching you something you hopefully already don't know so come back often, bookmark me, or feed it into your RSS reader. Let me use this...
|
-
|
Hi everyone, we have just completed the new HP Application Security Resource Library . Your one stop shop for product datasheets, whitepapers and presentations. If you currently going to the downloads section on the Portal site for some of this information...
|
-
|
While reading through an article about Firefox 3 on Security Focus today I snarfed my drink when I read the following passage: The group also rewrote the Password Manager in JavaScript from C++ to eliminate memory errors, Schroepfer said. Digging a little...
|
-
|
1) IBM Lotus QuickPlace 'Main.nsf' Cross-Site Scripting Vulnerability IBM Lotus QuickPlace is susceptible to a Cross-Site Scripting vulnerability. If exploited, this vulnerability could give an attacker the means to perform account hijacking,...
|
-
|
1) Microsoft Internet Information Services ASP Remote Code-Execution Vulnerability IIS is susceptible to a remote code-execution vulnerability that can be exploited via malicious input to vulnerable ASP pages. Attackers who successfully exploit this vulnerability...
|
-
|
1) Dokeos Multiple Remote Code Execution and Cross-Site Scripting Vulnerabilities Dokeos is susceptible to multiple remote code execution and Cross-Site Scripting vulnerabilities. Exploitation of these vulnerabilities could lead to a complete compromise...
|
-
|
1) Coppermine Photo Gallery Multiple Remote Command Execution Vulnerabilities Coppermine Photo Gallery is susceptible to multiple remote command execution vulnerabilties. Remote attackers can exploit this vulnerability to execute arbitrary commands with...
|
-
|
Some developers and I wandered across a pretty interesting situation recently: it seems there is an ambiguous corner case concerning how to resolve a relative URI containing only query parameters (a link such as "?foo=bar"). We were finding...
|
-
|
Thank you to all who attended our presentation on Web Application Security with QAInspect. HP QAInspect lets you conduct and manage functional testing and website security testing from a single platform without the need for specialized security knowledge....
|
-
|
Welcome to 2008. By now you have no doubt made and broken a number of New Year's resolutions. Not to worry if you've already wasted $50 bucks on a gym membership, there's always next year. I do however hope that taking PCI seriously was on...
|
|
|
|