Security |
|
»
Web Application Security: Don't Bolt It On; Build It In
In light of breaches in Web application security worldwide, the importance of catching potential areas for intrusion is necessary at the beginning. Performing application vulnerability testing during production (and not after a breach has been detected) can save a company thousands of dollars. The only way to ensure the highest level of security is to build it in from the outset.
[read article...]
|
»
What You Need to Know about PCI Compliance and Web Application Security Policy Changes
PCI compliance exists to protect consumers from credit fraud, and their data will be protected if rules are followed. If your business accepts credit cards, you are aware of changes to PCI compliance in June. Adherence to section 6.6 of the PCI compliance rules should have been met; if not, web application security must be integrated into existing applications. This mandate allows businesses to evaluate their security practices.
[read article...]
|
»
Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot
A brute force attack, also known as a dictionary attack, is one of the more uncomplicated attacks available to a hacker. However, the odds of this type of attack succeeding can be very high if a site is not configured properly. Learn more about what can be done to defend a site against a brute force attack - including implementing incremental delays and carefully wording error messages - and which defensive strategies don't work.
[read article...]
|
»
Malicious Code Injection: It’s Not Just for SQL Anymore
While many developers are aware of the threats posed by malicious code, and by SQL injection attacks in particular, there are other forms of code injection that are equally dangerous. Learn more about XPath injection, LDAP injection, and command execution injection and view examples of each type of attack. In addition, learn why many preventative actions that are commonly suggested to developers are not helpful, and discover how the creation of whitelists and blacklists can help to protect an application from malicious code injection attacks.
This article has been written by Bryan Sullivan, who is a development manager at SPI Dynamics, a Web application security products company.
[read article...]
|
»
Testing for Security in the Age of Ajax Programming
Ajax programming, which allows a web page to refresh a small portion of its data from a web server, is an exciting technology that has recently been introduced. However, this type of programming can also leave applications open to SQL injection and similar attacks. It is important for the developer to test the application thoroughly for vulnerabilities before passing it on to the QA department. And the QA engineer needs to learn to "think like a hacker." Learn more about securing your website's Ajax programming.
This article has been written by Bryan Sullivan, who is a development manager at SPI Dynamics, a Web application security products company.
[read article...]
|
»
Application Error Handling: How to Avoid Death by a Thousand Cuts
Conscientious developers often want to help the end user when an application error occurs by creating a message to be displayed that contains detailed information. However, if developers are overly helpful with their error handling approach, they can wind up giving up critical information to an attacker. Learn about the best practices that should be followed when creating error messages, including important guidelines that should be taken into consideration.
[read article...]
|
»
Web Application Security and Sarbanes-Oxley Compliance
An important issue facing companies today is Sarbanes-Oxley compliance, but, as the U.S. Sarbanes-Oxley Act of 2002 (SOX) is relatively new, the implementation of the regulation has not been fully established. The requirements of SOX compliance focus on establishing a system of checks and balances for corporate financial reporting and are designed to hold executives, accountants, and auditors of public corporations to higher standards.
[read article...]
|
»
Locking the Door Behind You: Hacker Protection for Your Web Applications
Your Web applications can be the most important and most vulnerable entry point into your organization, and, as such, ensuring adequate hacker protection in your Web applications can be critical. A Web application not only includes the code that creates your Web site, but also the architectural components necessary to make a Web site available and useful to the public – both of which can make a Web site vulnerable to attacks like SQL injection or cross site scripting (XSS). When considering hacker protection for your Web applications, you must account for all the components that work together to create a Web site, not just the visible face presented to the world at large.
[read article...]
|
»
The Latest in Internet Attacks: Web Application Worms
By now, most companies recognize that network security is an important aspect of daily operations, but few realize how quickly new methods of Internet attacks are being invented. While organizations rush to develop their security policies and implement even a basic security foundation, the professional hacker continues to find new ways to attack by modifying old Internet worms, Trojans, and viruses, or creating completely new ones. Recently, the attention of these hackers has reverted to Internet attacks targeted at the application layer, which can include either shrink-wrapped or custom applications. This layer is commonly the least protected layer of an organization's network. Industry experts estimate that three-fourths of the successful attacks targeting corporate networks are perpetrated via the application layer. Considering the nature of Web applications that allow access to internal and external audiences, these Internet attacks can pose a serious threat to an organization's back-end data without the organization's knowledge...
[read article...]
|
»
Paranoia: Cross Site Scripting
They're watching you - you know that? They've been scoping out your site for quite some time, looking at ways to screw with you and your site. All right, you think your code is secure, eh? Got the latest handy-dandy encryption on your stuff, all up to snuff on your patches and service packs. But you know what? You're making a critical blunder on your site, and you might not even know it. If you're taking information passed in on a Querystring and then you Response.Write it out on the page, uh-oh brother, you've got problems... You're ripe for the picking with Cross Site Scripting. Unless you already know where I'm going with this, read on.
[read article...]
|
»
Content Thieves
Someone's been stealing your content. Really. It's easy to do, too. I'm talking about all the fancy jpgs, docs and pdfs on your site. Guess what? If I can hit them with a URL, they're mine. Don't like it? Too bad. If you have a default page, I can set up a spider to snake out all of your content in a couple of minutes. Google has been doing it for quite a while - they finger your site, snatch out all of your graphics and your entire HTML. So, what's the solution? Enter the HttpHandler.
[read article...]
|
»
Security Smack Down
Security has always been a 'problem' with IIS, mostly because of the lackadaisical work habits of system administrators... I'll walk you through some of the easiest ways to lock down a machine and fix some of the snags that you might encounter when deploying an ASP.NET application. First Rule: If you don't know what you're doing, don't do it. Second Rule: Make sure you plug those holes that would make the "little Dutch boy" blush.
[read article...]
|
»
Encrypting QueryStrings with .NET
Once upon a time in the tech world, obscurity was security - this being most true in the early years of the industry, when there were gaping holes in privacy policies and confidential client information was bandied about from site to site without a care as to who actually could read the information. With the new Cryptography classes in .NET, there's absolutely no excuse for not hiding even the most innocuous user data.
[read article...]
|
|
|