Static code analysis failures are costing enterprises money and reputation. White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept:   Machines do not execute source code, they execute machine code (compiled code). --Paul Anderson (GrammaTech)   If you think this ...

For those of you who keep up with the PCI DSS standard, the coucil today has issued an update titled: Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified.   The standard item 6.6 has been further clarified in one of two options, as before, being either Application Code Reviews or an Application ...

It's one of those obvious things.  A defect is a defect, right?  Whether the airbag is faulty, or the gas cap doesn't hold pressure... a defect is a defect.  The strange thing is - it hasn't been that way, and still isn't that way, in most of the IT shops I've been in.  Why? The reason is simple.  ...

EW,  One of our engineers, Bryan Sullivan, recently wrote an article about teaching your QA department about how to test Ajax applications properly for security defects. It's a good read: http://www.devcity.net/Articles/273/1/article.aspx Enjoy!   Billy Hoffman -- Lead Researcher, SPI Labs SPI Dynamics Inc. – ...

I have read and heard a lot of information about the new dangers related to Ajax enabled sites.  I am really interested in methods being used by the "pros" to test ajax heavy sites.   Request modifications must happen the same way as traditional web app testing ocurrs.  Catch the request in a proxy identify the changes ...