Who's Online
There are currently, 73 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: Web Applications Security
[ Go to Home | Select a New Topic ] |
|
As seen on the great SecurityDatabase web site: http://www.security-database.com/
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Version v1.0.6
- Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
- Removed ’current password’ input box for low+med CSRF security. 03/09/2009 (ethicalhack3r)
- Added an article which was written for OWASP Turkey. 03/10/2009 (ethicalhack3r)
- Added more toubleshooting information. 02/10/2009 (ethicalhack3r)
- Stored XSS high now sanitises output. 02/10/2009 (ethicalhack3r)
- Fixed a ’bug’ in XSS stored low which made it not vulnerable. 02/10/2009 (ethicalhack3r)
- Rewritten command execution high to use a whitelist. 30/09/09 (ethicalhack3r)
- Fixed a command execution vulnerability in exec high. 17/09/09 (ethicalhack3r)
- Added some troubleshooting info for PHP 5.2.6 in readme.txt. 17/09/09 (ethicalhack3r)
- Added the upload directory to the upload help. 17/09/09 (ethicalhack3r)
Vulnerabilities
- SQL Injection
- XSS Stored/Reflected
- LFI (Local File Inclusion)
- RFI (Remote File Inclusion)
- Command Execution
- Upload Script
- Login Brute Force
- Full Path Disclosure
- PHP-IDS
- And much more...
Installation
Database Setup To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php
$_DVWA[ 'db_user' ] = 'your_database_username';
$_DVWA[ 'db_password' ] = 'your_database_password';
$_DVWA[ 'db_database' ] = 'your_database_name';
Everyone is welcome to contribute and help make DVWA as successful as it can be. With out the DVWA community DVWA would not be what it is today.
More information, Official Web Site: DVWA
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit.
They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to
prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.
Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.
Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/).
MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and
architecture errors that can lead to exploitable vulnerabilities.
The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more
concrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow
developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate
entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE.
Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more
actionable.
Get your own copy at: http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.
Why?
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started - tools, targets, and documentation.
Where?
How?
To install Dojo you can install and run VirtualBox, then "Import Appliance" using the Dojo's OVF file. Go here for Virtual Box instructions. As of version 1.0 a VMware version is also provided.
Who?
Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996
Targets include:
Tools:
Upcoming Features:
- More tutorials and documentation, including video tutorials
- ISO release of live CD version, for direct install to hard drive
- More targets
- More tools
- Enhancements/contributions to existing tools and targets
- Debian packages for existing tools and targets to enhance VM creation and collaboration with other projects.
- More detailed future changes on SourceForge in the feature request and bug trackers
GET IT AT: http://sourceforge.net/projects/websecuritydojo/files/
Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user"s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
Release Notes
1.Support Microsoft SQL Server 2008;
2.Improved SQL Injection for MySQL. Support detecting function Unhex().
3.New option added Scan->Extend scan mode. Optimize ability to Inject.
4.Improved Cookie detection. Multiple URL redirection will be Inject correctly.
Pangolin FAQ
Netword & Media resources:
- PANGOLIN: Automatización de inyección SQL(Spanish) http://www.hacktimes.com/?q=node/57
- Scanning an Oracle-based website with Pangolin (Flash)
http://www.red-database-security.com/videos/oracle_videos.html
- Web Application Testing with Pangolin (Video & Screenshot)
http://blog.red-database-security.com/2009/03/05/web-application-testing-with-pangolin-video-screenshot/print/
Video Show
Anonymous writes "The three authors of the manifesto are Josh Corman, an analyst with The 451 Group; David Rice, formerly with the National Security Agency and author of Geekonomics, a book about the real cost of insecure software; and Jeff Williams, the chairman of OWASP, an organization focused on Web application security. The trio announced the project at the SANS Institure AppSec Conferenc in San Francisco Monday.
The Rugged Software Manifesto
- I am rugged... and more importantly, my code is rugged.
- I recognize that software has become a foundation of our modern world.
- I recognize the awesome responsibility that comes with this foundational role.
- I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
- I recognize these things - and I choose to be rugged.
- I am rugged because I refuse to be a source of vulnerability or weakness.
- I am rugged because I assure my code will support its mission.
- I am rugged because my code can face these challenges and persist in spite of them.
- I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Official Announcement Document - 
If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.
Visit their website at: http://www.ruggedsoftware.org/ "
As seen on the DarkReading website:
SQL injection, plain-text passwords leave databases exposed
Jan 12, 2010 | 01:47 PM
By Kelly Jackson Higgins
DarkReading
"`"> "> --> Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
"TinKode," a Romanian hacker who previously found holes in NASA's Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a vulnerable to a SQL injection attack. "With this vulnerability I can see/extract all things from databases," he blogged.
TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site's name.
"Four-character passwords that are the same name as the database table names are inexcusable," says Robert "RSnake" Hansen, founder of SecTheory.
Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. "[This is] a good example of how terrible our security posture is, and he didn't even have to do anything tricky to find the exploit," he says.
TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker "unu" demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.
SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.
"Every organization has these problems," Hansen says. "They may not realize it, but they're just waiting for a smart kid to come along and copy off every critical piece of information they have."
Burp Suite v1.3 is now available for free download at http://portswigger.net/suite/
This is a major upgrade with a host of new features, including:
- A new message editor/viewer optimised for HTTP requests and responses,
with colourised syntax, mouse-over decoding, and quick conversion functions.
- Facility to add comments and highlights to the proxy history and site map.
- Support for viewing and editing AMF-encoded messages.
- Improved handling of SSL server certificates, to eliminate browser SSL
warnings and connection problems with thick clients.
- Copy to file / paste from file to facilitate working with binary content.
- New display filters.
- Greatly enhanced extensibility.
- Configurable DNS resolution, to override your computer's own resolution,
facilitating work with non-proxy-aware clients.
- Fine-grained upstream proxy rules.
- Exporting of HTTP messages and metadata in XML format.
For more details see:
http://blog.portswigger.net/2010/01/burp-suite-v13-released.html
Cheers
PortSwigger
It's final time to stop procrastinating: Nikto 2.1.0 is here!
(Available from http://cirt.net/nikto2)
This version has gone through significant rewrites under the hood to how Nikto works, to make it more expandable and usable.
Changes include:
* Rewrite to the plugin engine allowing more control of the plugin structure and making it easier to add plugins
* Rewrite to the reporting engine allowing reporting plugins to cover more and also ensuring that output is written if Nikto is quit before finishing
* Large overhaul of documentation to document built-in methods and variables (available in the tarball or on cirt.net
* Addition of caching to reduce amount of calls made to the web servers, as well as a facility to disable smart 404 guessing.
* Addition of simple guessing for whether a system is an embedded device and to report what it is
* Plugin to use OWASPs dictionary lists to attempt to brute force directories on the remote web server (as mutate 6)
* Plugin to attempt to brute force domains (as mutate 5)
* Allow username guessing (mutate 3 and 4) to use a dictionary file as well as brute forcing
* Support for NTLM authentication
* Lots of bug fixes and new security checks
Please, try out, break and report bugs and suggestions...
Thanks
dave
Replicating the Gonzalez Cyber Attacks through Penetration Testing
Posted by cdupuis on Wednesday, 26 August 2009 @ 21:28:56 EDT (1312 reads)
Topic Web Applications Security
YOU’RE INVITED: IT SECURITY WEBCAST
“Replicating the Gonzalez Cyber Attacks through Penetration Testing"
*** A recording of the webcast will be sent to everyone who registers, so be sure to sign up even if you can’t attend the live session. ***
---------------------------------------------------------------------------------
Last week saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.
Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* – showing you how to identify IT exposures in your own environment before cybercriminals do.
During the webcast, you’ll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:
• the initial web application compromise via SQL Injection
• the use of a well-known backend database command to make the attacks even more invasive
• the planting of malware on the backend database server
• the collection and transmission of credit card transactions to the attackers
Through the demonstration, you’ll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by …
• assessing how deployed defenses react to specific threats
• revealing what systems and data would be exposed by a breach
• depicting how chains of vulnerabilities open paths to mission-critical systems and information
• providing actionable data for immediately mitigating critical exposures
• repeating tests to ensure the effectiveness of remediation efforts
This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.
*Core Security has no specific knowledge of the Gonzalez case other than the information described in the indictment and other public sources. By presenting this technical information, Core Security is in no way prejudging, or presenting a position or opinion on, the allegations made against any of the parties named in the indictment.
Best Regards,
Core Security Technologies
41 Farnsworth Street
Boston, MA 02210
Anonymous writes "Hello everyone,
The SamuraiWTF project team is proud to announce the immediate release of SamuraiWTF 0.6. This release is available at http://samurai.inguardians.com.
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.
We have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. We have also included a virtual machine of the environment. This VM requires VMWare.
If there are any questions, please either send them to samurai@inguardians.com or join the developers mailing list on sourceforge.net.
Thank you
Kevin and the project team
Kevin Johnson
Senior Security Analyst
InGuardians, Inc.
office: 202.448.8958
cell: 904.403.8024 "
Anonymous writes "Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)
- Giving an introductory course to Web Application Security
The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools.
For almost every web application vulnerability in existance, there is a test script available in moth.
Other tools like this are available but they lack one very important feature: a list of vulnerabilities included in the Web Applications!
In our case, we used the results gathered in the anantasec report to solve this issue without any extra work.
There are three different ways to access the web applications and vulnerable scripts:
- Directly
- Through mod_security
- Through PHP-IDS (only if the web application is written in PHP)
Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process.
This is the first contribution of Bonsai Information Security to the w3af project.
Many more contributions are on it's way,
More information about moth and the download link can be found here:
http://www.bonsai-sec.com/research/moth.php
Cheers,
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/ "
Web App Security, Web Apps Testing Checklist, Protecting Passwords
Posted by cdupuis on Monday, 04 May 2009 @ 21:59:10 EDT (696 reads)
Topic Web Applications Security
Anonymous writes "Hi,
I have just updated the security section of my web site; there's a couple of pages that may interest people on this list:
A high-level overview of web application security: http://pajhome.org.uk/security/web.html
Checklist for testing web apps: http://pajhome.org.uk/security/webchecks.html
Also, for many years I have provided a JavaScript MD5 library. This can be used to perform challenge-response authentication, protecting passwords on sites that do not use SSL. I have recently approached some of the main web frameworks, to encourage them to implement this in their authentication library.
http://pajhome.org.uk/crypt/md5/
I'd welcome any comments on the above.
Best wishes,
Paul
"
Is the ennemy already living side by side with you without your knowledge
Posted by cdupuis on Wednesday, 29 April 2009 @ 10:28:41 EDT (702 reads)
Topic Web Applications Security
---------- Forwarded message ----------
From: WebAppSec
Date: Tue, Apr 28, 2009 at 08:12
Subject: New WebApp security paper: Anit-fraud Image Solutions
To: webappsec@securityfocus.com
WebAppSec gurus,
I recently had some time on my hands to write up a whitepaper covering a topic that I've been repeatedly queried about over the years - how can you tell which person "stole" a copy of your Web application content and used it to build a phishing or fraud site?
It's not a particularly easy question to answer, but there are a number of things that can be done to help this identification task. One useful component of that identification process is the embedding of unique tagging information within the content of the application. This process, referred to as Distribution Tracing, can be applied to the images used to construct the Web site.
The paper "Anti-fraud Image Solutions" is now available on my Web site at:
http://www.technicalinfo.net/papers/AntiFraudImageSolutions.html
...and there's a blog on the topic over at :
http://technicalinfodotnet.blogspot.com/2009/04/who-cloned-web-site-heres-ho
w-to-tell.html
Hope the paper proves insightful for some of you having to advise your customers directly. I'll offer a beer at BlackHat Las Vegas this year to the first person to name 3 large international banks that already use this tracing process, and the algorithm they went with :-)
Cheers,
Gunter Ollmann
Caught In the Web Webinar with Shon Harris, Wayne Burke, and Benjamin Bock
Posted by cdupuis on Tuesday, 27 January 2009 @ 03:35:19 EST (1085 reads)
Topic Web Applications Security
Anonymous writes "Good day to all,
I would like to personally invite you to join Wayne Burke, Benjamin Böck & Shon Harris for an overview of todays web vulnerabilities which will help you understand why hackers have so much fun at layer 7 of the OSI model. This is where the whole game is being played today.
Topic: "Caught In the Web" Part 1 with Wayne Burke, Benjamin Böck & Shon Harris
Host: Core Webcast
Date and Time:
February 18, 2009 2:00 pm, Eastern Standard Time (GMT -05:00, New York)
Event number: 801 511 119
You can register and view more information about this webcast by visiting the following link:
"Caught In the Web"
-------------------------------------------------------
For assistance
-------------------------------------------------------
You can contact Core Webcast at: michael.yaffe@coresecurity.com "
Web Application Security: Don't Bolt It On; Build It In
How secure are your Web applications? Unless you conduct application vulnerability testing throughout the lifespan of your applications, there's no way for you to know about your web application security. That's not good news for your security or regulatory compliance efforts.
Companies make significant investments to develop high-performance Web applications so customers can do business whenever and wherever they choose. While convenient, this 24-7 access also invites criminal hackers who seek a potential windfall by exploiting those very same highly available corporate applications.
The only way to succeed against Web application attacks is to build secure and sustainable applications from the start. Yet, many businesses find they have more Web applications and vulnerabilities than security professionals to test and remedy them - especially when application vulnerability testing doesn't occur until after an application has been sent to production. This leads to applications being very susceptible to attack and increases the unacceptable risk of applications failing regulatory audits. In fact, many forget that compliance mandates like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, and European Union privacy regulations, all require demonstrable, verifiable security, especially where most of today's risk exists - at the Web application level.
In an attempt to mitigate these risks, companies use firewalls and intrusion detection/prevention technologies to try to protect both their networks and applications. But these web application security measures are not enough. Web applications introduce vulnerabilities, which can't be blocked by firewalls, by allowing access to an organization's systems and information. Perhaps that's why experts estimate that a majority of security breaches today are targeted at Web applications.
One way to achieve sustainable web application security is to incorporate application vulnerability testing into each phase of an application's lifecycle - from development to quality assurance to deployment - and continually during operation. Since all Web applications need to meet functional and performance standards to be of business value, it makes good sense to incorporate web application security and application vulnerability testing as part of existing function and performance testing. And unless you do this - test for security at every phase of each application's lifecycle - your data probably is more vulnerable than you realize.
Neglecting Application Vulnerability Testing: Risks and Costs of Poor Security
Consider supermarket chain Hannaford Bros., which reportedly now is spending billions to bolster its IT and web application security - after attackers managed to steal up to 4.2 million credit and debit card numbers from its network. Or, the three hackers recently indicted for stealing thousands of credit card numbers by inserting packet sniffers on the corporate network of a major restaurant chain.
The potential costs of these and related Web application attacks add up quickly. When you consider the expense of the forensic analysis of compromised systems, increased call center activity from upset customers, legal fees and regulatory fines, data breach disclosure notices sent to affected customers, as well as other business and customer losses, it's no surprise that news reports often detail incidents costing anywhere from $20 million to $4.5 billion. The research firm Forrester estimates that the cost of a security breach ranges from about $90 to $305 per compromised record.
Other costs that result from shoddy web application security include the inability to conduct business during denial-of-service attacks, crashed applications, reduced performance, and the potential loss of intellectual property to competitors.
What's so surprising, aside from all of the security and regulatory risks we've described, is that it's actually more cost effective to use application vulnerability testing to find and fix security-related software defects during development. Most experts agree that while it costs a few hundred dollars to catch such flaws during the requirements phase, it could cost well over $12,000 to fix that same flaw after the application has been sent to production.
There's only one way to ensure that your applications are secure, compliant, and can be managed cost-effectively, and that's to adapt a lifecycle approach to web application security.
The Web Application Security Lifecycle
Web applications need to start secure to stay secure. In other words, they should be built using secure coding practices, go through a series of QA and application vulnerability testing, and be monitored continually in production. This is known as the web application security lifecycle.
Remedying security problems during the development process via application vulnerability testing isn't something that can be achieved immediately. It takes time to integrate security into the various stages of software development. But any organization that has undertaken other initiatives, such as implementing the Capability Maturity Model (CMM) or even undergoing a Six Sigma program, knows that the effort is worth it because systematized application vulnerability testing processes provide better results, more efficiency, and cost savings over time.
Fortunately, application assessment and security tools are available today that will help you to get there - without slowing project schedules. But, in order to strengthen development throughout the application life cycle, it's essential to pick application vulnerability testing tools that aid developers, testers, security professionals, and application owners and that these toolsets integrate tightly with popular IDEs, such as Eclipse and Microsoft's Visual Studio.NET for developers.
And just as standardization on development processes - such as RAD (rapid application development) and agile - brings development efficiencies, saves time, and improves quality, it's clear that strengthening the software development life cycle, possessing the right security testing tools, and placing software security higher in the priority list are excellent and invaluable long-term business investments.
What types of web application security tools should you look for? Most companies are aware of network vulnerability scanners, such as Nessus, that evaluate the infrastructure for certain types of vulnerabilities. But fewer are aware of application vulnerability testing and assessment tools that are designed to analyze Web applications and Web services for flaws specific to them, such as invalid inputs and cross-site scripting vulnerabilities. These Web application security and vulnerability scanners are not only useful for custom-built applications but also to make sure that commercially acquired software is secure.
There are also web application security tools that help instill good security and quality control earlier and throughout development. For instance, these application vulnerability testing tools help developers find and fix application vulnerabilities automatically while they code their Web applications and Web services. There also are quality inspection applications that help QA professionals incorporate Web application security and application vulnerability testing into their existing management processes automatically.
It's also important to know that technology alone won't get the job done. You need management support, too. And no matter how large or small your development efforts, all stakeholders - business and application owners, security, regulatory compliance, audit, and quality assurance teams - should have a say from the beginning, and benchmarks must be set for quality application vulnerability testing.
While it may seem like a daunting undertaking at first, the web application security lifecycle approach actually saves money and effort by establishing and maintaining more secure applications. Remedying security defects after an application is released requires additional time and resources, adding unanticipated costs to finished projects. It also diverts attention from other projects, potentially delaying time to market of new products and services. Moreover, you'll save on the excessive expense of having to fix flaws after the application has been deployed, and you've failed regulatory audits - and you'll avoid the embarrassment of being the next security breach news headline.
About the Author
Caleb Sima is the former co-founder and CTO of SPI Dynamics, which was acquired by HP Software in August 2007. He is now responsible for directing the lifecycle of the HP's Web application security solutions and is the Chief Technologist for the HP Application Security Center. Prior to joining HP, Caleb worked for the elite X-Force R&D team at Internet Security Systems and as a security engineer for S1 Corporation. Caleb is a frequent speaker and press resource on Internet attacks and has contributed to Baseline Magazine and (IN)Secure Magazine as well as being featured in the Associated Press. He is also a Microsoft Most Valuable Professional (MVP) in Visual Developer Security. For more details on enhancing web security, please visit www.HP.com.
|
|
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Big Story of Today
There isn't a Biggest Story for Today, yet.
Old Articles
| Thursday, April 10 | | · | ProxyStrike - Active Web Application Proxy |
| Tuesday, April 01 | | · | What You Need to Know about PCI Compliance and Web Application Security Policy |
| Friday, February 08 | | · | The Web Hacking Incidents Database (WHID) annual report for 2007 |
| Thursday, January 24 | | · | A new version of WFuzz web application brute forcer was released |
| Tuesday, December 04 | | · | SWFIntruder |
| Tuesday, November 27 | | · | Interesting tester plugins for Firefox |
| Monday, November 12 | | · | Nikto 2 has been released |
| Saturday, September 08 | | · | Cookies: should I loose sleep over them |
| Friday, July 20 | | · | Effective Controls for Attaining Continuous Application Security |
| Tuesday, July 10 | | · | Using Remediation Strategies Within the Web Application Development Lifecycle |
| Wednesday, June 20 | | · | Pixy an open source Vulnerability Scanner |
| Friday, June 15 | | · | FireCat a catalog of useful security testing plugins for Mozilla |
| Tuesday, June 12 | | · | w3af - Web Application Attack and Audit Framework |
| Monday, May 21 | | · | Top 10 Application Security Vulnerabilities in Web.config Files - Part Two |
| Monday, May 07 | | · | wfuzz a tool for bruteforcing web applications |
Older Articles
|
Does it hold any weight?