Web App Security (webappsec) Mailing List

Re: Internal servers, web application firewalls, and learning modes

Tue, 02 Dec 2008 13:47:23 -0500

Posted by Preston Connors on Dec 02

I would create a Dial-Up VPN scenario where your users can dial in to
your Internal network over a secured VPN connection. That way you would
not have to reconfigure your Internal network and harden your webapps.
You can use a high level of encryption over your dial-up VPN ensuring
that the...

Internal servers, web application firewalls, and learning modes

Tue, 2 Dec 2008 08:14:25 -0800

Posted by Dan Lynch on Dec 2

Sorry for the long post. My questions are at the end, but first, take a
minute to see the hard limitations in our environment.

My organization has no in house specialized web expertise, not in web
development, or code audit, or web application vulnerability assessment.
None. In the current...

NASSCOMs Biggest Information Security Summit - Supported by OWASP India

Thu, 27 Nov 2008 15:25:58 +0530

Posted by Soi Dhruv on Nov 27

Dear Members,

I just wanted to bring it to your kind notice that a biggest information
security summit is being organized by NASSCOM in Hyderabad, India on
December 2nd-3rd 2008. Summit features some of the top-notch information
security experts who would be addressing some really painful...

Re: A Question of Quality

Sun, 30 Nov 2008 08:32:03 -0800

Posted by Alexander Bermudez on Nov 30

Pride of ownership may very well be the reason for lack of adequate QC and
Security control but my take is that it might have something to do with
security professionals not doing a good enough job of selling the value of
security in the SDLC. If the decision makers could be educated on the...

RE: New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

Fri, 14 Nov 2008 12:14:23 +0200

Posted by Erez Metula on Nov 14

Hi Ragan,
Performance seems to be the main cause for the lack of signature check (although the overhead penalty occurs once per loaded DLL).
I also believe that Microsoft did some threat modeling and came to the right conclusion that since the checking mechanism is in the hands of the...

New Whitepaper - .NET Framework Rootkits: Backdoors inside your Framework

Thu, 13 Nov 2008 18:07:33 +0200

Posted by Erez Metula on Nov 13

Paper Name
===========

.NET Framework Rootkits - Backdoors inside your Framework
Author: Erez MetulaÑ

Paper Description
=================

The paper introduces a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.
It covers...

On-Demand Penetration Testing Webcasts with Ed Skoudis of SANS

11 Nov 2008 16:02:02 -0000

Posted by sfa_at_securityfocus.com on Nov 11

As a security pro, it's important to periodically stop, take a break, and refuel your brain. Once per month, Core Security Technologies does the same thing and invites industry thought leaders to share their insights through educational webcasts offering security testing tips, tricks and...

Re: A Question of Quality

Tue, 4 Nov 2008 00:26:06 +0100

Posted by Yousef Syed on Nov 4

Hi Marco, All,
I think the first time that I really got into the whole quality at the
code level was waay back in 2000 when I was involved in my first
Extreme Programming project.
It was mandated that all methods follow Design by Contract
(http://en.wikipedia.org/wiki/Design_by_contract), so...

Re: A Question of Quality

Tue, 4 Nov 2008 11:53:40 +0100

Posted by Daniël W. Crompton on Nov 4

2008/11/2 Robert Hajime Lanning <robert.lanning_at_gmail.com>:
> On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed_at_gmail.com> wrote:
>> Why isn't Quality Assumed?
>> Why isn't Security Assumed?
>> Why are these concepts thought of as add ons...

New Whitepaper - quotContinuing Business with Malware Infected Customersquot

Mon, 3 Nov 2008 10:29:37 -0500

Posted by WebAppSec on Nov 3

Hi List,

I figured I'd try sharing a new paper I completed and posted to my site
yesterday.

The paper is based off some of the work I've been discussing at various
conferences recently in relation to the man-in-the-browser attack vectors,
and their effect on financial Web applications - in...

CSRF attacks against OAuth

Mon, 3 Nov 2008 09:23:18 -0500

Posted by Jake Spekle on Nov 3

I came across this blog post this morning and thought it was
interesting and worth posting here:

http://blog.cliqset.com/2008/11/02/csrf-and-oauth/

Considering what OAuth is designed for, it seems like CSRF attacks
against it could prove to be quite fruitful for an attacker.

-
JS

...

Re: A Question of Quality

Sun, 2 Nov 2008 11:24:06 -0800

Posted by Robert Hajime Lanning on Nov 2

On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed_at_gmail.com> wrote:
> Why isn't Quality Assumed?
> Why isn't Security Assumed?
> Why are these concepts thought of as add ons to Applications and Services?
>
> Why do they need to be specified, when they...

The Month of Burp Pr0n

Sun, 2 Nov 2008 12:00:29 -0000

Posted by PortSwigger on Nov 2

Users of Burp Suite will no doubt be pleased to learn that work on the next
version is at an advanced stage, and this is scheduled for release in
December. This will be a major upgrade with numerous enhancements to
existing tools, and the addition of some brand new ones.

Every day during...

A Question of Quality

Fri, 31 Oct 2008 01:55:31 +0100

Posted by Yousef Syed on Oct 31

Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and Services?

Why do they need to be specified, when they should be taken for granted?
- Input Validation
- Boundary Conditions
- Encrypt Data as necessary
...

FINAL NOTICE: OWASP Portugal EU Summit

Mon, 27 Oct 2008 21:13:30 -0400

Posted by Dave Wichers on Oct 27

Itâs almost hereâ¦.one of the most important events in OWASP history, the 2008 Summit!

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

OWASP Summit EU 2008 is a worldwide gathering of OWASP leaders and key industry
players to present and discuss the latest OWASP tools and...