Premium Sponsor
Premium Sponsor


Advanced Search
Popular Articles
Popular Authors
SubMain - Developer Tools
 »  Home  »  Security

» Web Application Security: Don't Bolt It On; Build It In
by Caleb Sima | Published 06/12/2008 |  | Rating:
In light of breaches in Web application security worldwide, the importance of catching potential areas for intrusion is necessary at the beginning. Performing application vulnerability testing during production (and not after a breach has been detected) can save a company thousands of dollars. The only way to ensure the highest level of security is to build it in from the outset. [read article...]
» What You Need to Know about PCI Compliance and Web Application Security Policy Changes
by Michael Sutton | Published 03/28/2008 |  | Rating:
PCI compliance exists to protect consumers from credit fraud, and their data will be protected if rules are followed. If your business accepts credit cards, you are aware of changes to PCI compliance in June. Adherence to section 6.6 of the PCI compliance rules should have been met; if not, web application security must be integrated into existing applications. This mandate allows businesses to evaluate their security practices. [read article...]
» Effective Controls for Attaining Continuous Application Security Throughout the Web Application Development Life Cycle
by Caleb Sima | Published 09/28/2007 |  | Rating:

Improving your Web application development process is one of the best ways to avoid security vulnerabilities and nasty surprises during security assessments. Learn about the points in the software development life cycle where additional security awareness and training is needed to ensure that your organization remains successful and secure.

[read article...]
» Implementing Effective Vulnerability Remediation Strategies Within the Web Application Development Lifecycle
by Caleb Sima | Published 08/02/2007 |  | Rating:

After a security assessment has been performed as part of the web application development lifecycle, it is important to understand how to address and fix any application vulnerabilities that are uncovered. Learn more about the steps that should be taken during the remediation process, from categorization to testing and validation, and find out why collaboration among developers is critical for success.

[read article...]
» Web Application Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site
by Caleb Sima | Published 06/21/2007 |  | Rating:

It is important for a business to understand the fundamentals of running a vulnerability assessment in order to determine how one will be run and what can be expected from the results. A web application security scanner can automate the process, but a quality assessment may still require actual human eyes to catch specific issues. Learn more about the whys and hows of vulnerability assessments.

[read article...]
» Interpreting the Results of a Vulnerability Assessment: How to Focus on What's Important in Your Web Application Security Testing
by Caleb Sima | Published 03/07/2007 |  | Rating:
The results of an extensive vulnerability assessment of a Web application can appear extensive on first review. However, it is important to understand that many Web application security holes found by such an assessment may in fact not matter to an organization's specific situation. Learn more about how to weed through such findings to establish which need to be addressed and which are in fact not urgent. [read article...]
» Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?
by Dennis Hurst | Published 02/27/2007 |  | Rating:

Lately, many people have been asking what is more important: using vulnerability analysis tools to assess web-based applications or instead focusing on penetrating testing. The fact is that both are important and that a combination approach can prove to be more valuable. Learn more about how the web application security industry has evolved and what needs to be done to ensure the security of applications.

[read article...]
» Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot
by Bryan Sullivan | Published 01/10/2007 |  | Rating:
A brute force attack, also known as a dictionary attack, is one of the more uncomplicated attacks available to a hacker. However, the odds of this type of attack succeeding can be very high if a site is not configured properly. Learn more about what can be done to defend a site against a brute force attack - including implementing incremental delays and carefully wording error messages - and which defensive strategies don't work. [read article...]
» Malicious Code Injection: It’s Not Just for SQL Anymore
by Bryan Sullivan | Published 11/11/2006 |  | Rating:

While many developers are aware of the threats posed by malicious code, and by SQL injection attacks in particular, there are other forms of code injection that are equally dangerous. Learn more about XPath injection, LDAP injection, and command execution injection and view examples of each type of attack. In addition, learn why many preventative actions that are commonly suggested to developers are not helpful, and discover how the creation of whitelists and blacklists can help to protect an application from malicious code injection attacks.

This article has been written by Bryan Sullivan, who is a development manager at SPI Dynamics, a Web application security products company. 

[read article...]
» Testing for Security in the Age of Ajax Programming
by Bryan Sullivan | Published 10/13/2006 |  | Rating:

Ajax programming, which allows a web page to refresh a small portion of its data from a web server, is an exciting technology that has recently been introduced. However, this type of programming can also leave applications open to SQL injection and similar attacks. It is important for the developer to test the application thoroughly for vulnerabilities before passing it on to the QA department. And the QA engineer needs to learn to "think like a hacker." Learn more about securing your website's Ajax programming.


This article has been written by Bryan Sullivan, who is a development manager at SPI Dynamics, a Web application security products company. 

[read article...]
» Application Error Handling: How to Avoid Death by a Thousand Cuts
by Bryan Sullivan | Published 09/01/2006 |  | Rating:
Conscientious developers often want to help the end user when an application error occurs by creating a message to be displayed that contains detailed information. However, if developers are overly helpful with their error handling approach, they can wind up giving up critical information to an attacker. Learn about the best practices that should be followed when creating error messages, including important guidelines that should be taken into consideration. [read article...]
» Beyond Stored Procedures: Defense-in-Depth Against SQL Injection
by Bryan Sullivan | Published 07/17/2006 |  | Rating:

   Unless you are certain that you have taken the right steps to counter SQL Injection attacks, you may be more vulnerable than you think.

    This article has been written by Bryan Sullivan, who is a development manager at SPI Dynamics, a Web application security products company. 

[read article...]
» Web Application Security and Sarbanes-Oxley Compliance
by Caleb Sima | Published 02/01/2006 |  | Rating:

An important issue facing companies today is Sarbanes-Oxley compliance, but, as the U.S. Sarbanes-Oxley Act of 2002 (SOX) is relatively new, the implementation of the regulation has not been fully established. The requirements of SOX compliance focus on establishing a system of checks and balances for corporate financial reporting and are designed to hold executives, accountants, and auditors of public corporations to higher standards.

[read article...]
» Security Risk Assessment and Management in Web Application Security
by Caleb Sima | Published 12/16/2005 |  | Rating:

Security risk assessment and security risk management have become vital tasks for security officers and IT managers. This article looks at some of the issues.

[read article...]
» Locking the Door Behind You: Hacker Protection for Your Web Applications
by Caleb Sima | Published 10/16/2005 |  | Rating:

Your Web applications can be the most important and most vulnerable entry point into your organization, and, as such, ensuring adequate hacker protection in your Web applications can be critical. A Web application not only includes the code that creates your Web site, but also the architectural components necessary to make a Web site available and useful to the public – both of which can make a Web site vulnerable to attacks like SQL injection or cross site scripting (XSS). When considering hacker protection for your Web applications, you must account for all the components that work together to create a Web site, not just the visible face presented to the world at large.

[read article...]
» The Latest in Internet Attacks: Web Application Worms
by Caleb Sima | Published 09/07/2005 |  | Rating:
By now, most companies recognize that network security is an important aspect of daily operations, but few realize how quickly new methods of Internet attacks are being invented. While organizations rush to develop their security policies and implement even a basic security foundation, the professional hacker continues to find new ways to attack by modifying old Internet worms, Trojans, and viruses, or creating completely new ones.  Recently, the attention of these hackers has reverted to Internet attacks targeted at the application layer, which can include either shrink-wrapped or custom applications. This layer is commonly the least protected layer of an organization's network. Industry experts estimate that three-fourths of the successful attacks targeting corporate networks are perpetrated via the application layer. Considering the nature of Web applications that allow access to internal and external audiences, these Internet attacks can pose a serious threat to an organization's back-end data without the organization's knowledge... [read article...]
» Paranoia: Cross Site Scripting
by Tiberius OsBurn | Published 03/27/2003 |  | Rating:
They're watching you - you know that? They've been scoping out your site for quite some time, looking at ways to screw with you and your site. All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, all up to snuff on your patches and service packs. But you know what? You're making a critical blunder on your site, and you might not even know it. If you're taking information passed in on a Querystring and then you Response.Write it out on the page, uh-oh brother, you've got problems... You're ripe for the picking with Cross Site Scripting. Unless you already know where I'm going with this, read on. [read article...]
» Content Thieves
by Tiberius OsBurn | Published 10/06/2002 |  | Rating:
Someone's been stealing your content. Really. It's easy to do, too. I'm talking about all the fancy jpgs, docs and pdfs on your site. Guess what? If I can hit them with a URL, they're mine. Don't like it? Too bad. If you have a default page, I can set up a spider to snake out all of your content in a couple of minutes. Google has been doing it for quite a while - they finger your site, snatch out all of your graphics and your entire HTML. So, what's the solution? Enter the HttpHandler. [read article...]
» Security Smack Down
by Tiberius OsBurn | Published 09/27/2002 |  | Rating:
Security has always been a 'problem' with IIS, mostly because of the lackadaisical work habits of system administrators... I'll walk you through some of the easiest ways to lock down a machine and fix some of the snags that you might encounter when deploying an ASP.NET application. First Rule: If you don't know what you're doing, don't do it. Second Rule: Make sure you plug those holes that would make the "little Dutch boy" blush. [read article...]
» Encrypting QueryStrings with .NET
by Tiberius OsBurn | Published 09/04/2002 |  | Rating:
Once upon a time in the tech world, obscurity was security - this being most true in the early years of the industry, when there were gaping holes in privacy policies and confidential client information was bandied about from site to site without a care as to who actually could read the information. With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the most innocuous user data. [read article...]