Static code analysis failures are costing enterprises money and reputation. White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept:   Machines do not execute source code, they execute machine code (compiled code). --Paul Anderson (GrammaTech)   If you think this ...

  It's a classic problem of which came first... the chicken or the egg?  politics or corruption?  security or compliance?  While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some of the issues that I've come across between these two very ...

    It's 2:34am, local time.  You're snoring up a storm after a hard day at the office.  You've patched all your servers, your lockdown scripts have been verified, and your IDS is humming along perfectly.  Oh, and by the way, someone named "R0kk1t" just stole your customer database.  A quick ...

It's one of those obvious things.  A defect is a defect, right?  Whether the airbag is faulty, or the gas cap doesn't hold pressure... a defect is a defect.  The strange thing is - it hasn't been that way, and still isn't that way, in most of the IT shops I've been in.  Why? The reason is simple.  ...

I got an email from Christ1an the other day asking me what Ajax Security was all about. I was just going to send him the table of contents to the book, but I thought it might be educational to see how the components of Ajax security relate, and where they come from. In Jeremiah's fascinating Web Application Professionals Survey less than 3% of ...

When JSON hijacking was first discussed and demonstrated in 2006 and 2007 by Whitehat, Fortify and others, all of the proof of concepts used Mozilla specific JavaScript extensions like setter or __defineSetter__. This led many people to believe that these vulnerabilities only existed in Mozilla-derived browsers like Firefox because only those ...