-
Building a Web Application Security Program, Part 8: Putting It All Together
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of your particular organization.…
-
MS08-078 and the SDL
Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it. "Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry for this bug…
-
Software [In]security: Software Security Top 10 Surprises
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay…
-
Budgeting for Web Application Security
Jeremiah has published an entry on budgeting for web application security in your company. "“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many security professionals face…
-
Understanding How to Use the Microsoft’s Exploitability Index
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment process. The Exploitability Index…
-
Threat Models Improve Your Security Process
"This column proposes a way to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks. As a setup…
-
Agile SDL Streamline Security Practices For Agile Development
"In the September 2008 issue of MSDN Magazine, I wrote a column about the additions that Microsoft has made to the Security Development Lifecycle (SDL) process to address security vulnerabilities in online services. I talked about the importance of input validation and output encoding in order to prevent cross-site scripting attacks; about using parameterized stored…
-
Why Microsoft’s SDL Missed MS08-067 in their own words
"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some of the details, it’s…
-
Article: SDL Embraces The Web
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through this SDL guidance…
-
Most Corporations Lack Proper SDLC
"The current state of secure software development by corporations both large and small is a mess. Software vendors need to realize that they must begin exercising due diligence when producing their software products. Microsoft dedicated itself to secure development practices some years ago, yet its developers are still taking months to fix reported vulnerabilities. If…
-
Elevator pitch for explaining security risks to executives
Lenny Zeltser has posted an entry on sans on how to pitch security risks to upper management. "How to catch the attention of a busy executive, to highlight an important security risk? An elevator pitch is a persuasive statement delivered verbally in the time you would share with the listener in an elevator–about 60 seconds.…
-
Getting started with Web application misuse cases
"When developing applications it isn't enough to think about how they will be used. You must also consider how they will be misused — or abused — so that you can prevent attacks. Kevin Beaver gives some examples of Web application weak spo ts that your development team should consider." Article Link: http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1310166,00.html
-
The essentials of Web application threat modeling
"A critical part of Web application security is mapping out what's at risk — a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences — not the actual indication of intent to cause disruption (a threat).…
-
Using industry best practices for effective security training
"Improved employee understanding of appropriate behaviors and best practices for enhanced information security reduces security risks and helps ensure compliance with regulations such as Sarbanes-Oxley, HIPAA, the Payment Card Industry Data Security Standards (PCI DSS) and others. But merely providing security training is not enough. Organizations need to know if training programs have been successful…
-
Your Next Security Frontier? Software!
"Software testing generally falls under the purview of the quality assurance (QA) test team. The problem is that QA testers test the products for compliance with its functional requirements and specifications. Put another way, they test how the software works, not how someone can break or misuse software for illicit purposes. To adequately test the…
-
Building Secure Applications: Consistent Logging
"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks.…
-
Halvar Flake vs. Michael Howard on memcpy
"Halvar�s reaction to Microsoft�s Michael Howard hinting that memcpy may soon be verboten in Redmond code: This is an excellent idea – and along with memcpy, malloc() should be banned. While we are at it, the addition and multiplication operators have caused so much grief over the last years, I think it would make total…
-
Article: The business case for security frameworks
I’ve written a new article for The Web Application Security Consortium‘s Guest Article Project. From the paper "One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don’t put the majority of the blame on them because they may not know any better. Many…
-
A Software Call To Arms: Where are source control repository security scanning tools?
<rant> We’ve heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don’t run them they can still check in vulnerable code to your source code repository. For the past…
-
Security Development Lifecycle (SDL) Banned Function Calls
Michael Howard has a very good article on bad API calls to use when developing c/c++ applications. "When the C runtime library (CRT) was first created about 25 years ago, the threats to computers were different; machines were not as interconnected as they are today, and attacks were not as prevalent. With this in mind,…
-
Building Secure Applications: Consistent Logging
"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks.…
-
Detect Your Web Application’s Vulnerabilities Early with Ruby
"Web application fuzzing is a method of detecting a web application’s vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application’s security posture. Users also can apply fuzzing to perform tests on several different attack…
-
Using Fuzzers in Software Testing: Identifying Application Risks
I’ve written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are used to perform…
-
Writing Software Security Test Cases: Putting security test cases into your test plan
Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans. "Part of software testing involves replicating customer use cases against…
-
The lack of security enabled frameworks is why we’re vulnerable
We’ve been stating for years ‘developers need to learn to code securely’ sure this is great, however is essentially limited to skilled professionals. This isn’t to say we shouldn’t keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch what a developer…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack