-
Although running WebInspect with ‘out of the box’ scans settings might be the easiest way to start a scan, it is almost sure to produce unexpected results. Configuring any web application scanner is tricky, but by following these simple steps to fine tune the scan more accurate results will...
-
A new report this week from ITC reveals that eighty-five percent of IT security decision makers think that losing data via an external threat is "very unlikely." Wow. Once upon a time, anyone involved in application security had a need to educate potential customers on why application security...
-
Numbers lie Recently California made headlines after more than 800 data breach disclosures were filed in the first five months of 2009. Upon closer inspection, the large number of incidents does not represent a rise in actual incidents, but just a change in mandated reporting practices due to California’s...
-
HP Application Security's own Caleb Sima, Chenxi Wang of Forrester Research, and Vinnie Liu of Stach and Liu give a great presentation about why corporations with seemingly insurmountable application security issues would do well to implement a SaaS solution. Tight timelines, limited budgets, and...
-
I'm thrilled to announce that I have been selected to speak at the StarWest 2009 Quality Conference (SQE) October 5-9th 2009, hosted at the DisneyLand Hotel in Annaheim, CA! Link to the conference website is here ( http://www.sqe.com/starwest/Schedule/Default.aspx ) and there are a number of awesome...
-
Corporate web communications have grown from simple web pages to massive and complex applications. The security department has mostly kept up and maintained a secure perimeter—even when that perimeter included outsourced and vendor systems. Contracts were in place, systems were secured, and life...
-
This is a great article about the value of a hacked PC to an attacker. While this focuses on personal PCs, all of these reasons can also apply to compromised web servers. Remember, web hacking has evolved. Script kiddies began by defacing web sites and conducting other forms of cyber vandalism. As applications...
-
One of our security researchers just happened to stumble across this interesting Highscores area of a free Flash skeet shooting game. Notice scores 6-10. Now I'm not saying he had anything to do with this. What I am saying is that if your query parameters are able to be manipulated, some hacker will...
-
A recent OWASP survey found that over a quarter of IT organizations plan to spend more money specifically for web application security. Another 36% expect web application security spending to remain at current levels. Considering the state of the economy, those are good numbers. Even with recessionary...
-
On the heels of my OWASP talk regarding decompiling and analyzing Flash [ see SWFScan link ] files lots of you have asked "So what about Flash file encryption or obfuscation? Does that make my code any more secure?" I've done the research and talked to experts (including our very own Billy...
-
The term " Enterprise Web Application Security Program " has been evolving. Generally referring to a corporate IT program which includes web application code in some way and has traditionally meant either a white-box approach or a black-box approach, either through the use of tools or the use...
-
Congratulations Mr. President, your Web 2.0 campaign to be the "hip" president has just been hijacked. In an interesting news article published originally on CyberInsecure.com , someone has decided to use the President's popularity to hijack his potential, and unsuspecting, users and drump...
-
Well, it's official, we're all another year older now. Welcome to 2009, and what I can only hope will be a great year in information security. I'm sure you've all read your share of scary predictions for 2009, from vendors, journalists, bloggers and such so why should I deprive you of...
-
Had a great time presenting, and talking with you all after. I know I painted a gloomy picture, but remember - you can succeed by taking that first step. Here's some key points: Don't let anyone tell you that it's all of nothing ... Risk-management is all about mitigating to a point of acceptable...
-
Let me start off by reminding you that the main mission of this blog is to provide insight and perspective (from more than just the security angle) on web application security and risk management. Keep that in mind as you read on... I read an article on ZDNet tonight as I usually do to catch up on things...