In this IEEE article, author John Diamant talks about how to improve security quality of software applications using a proactive approach with techniques like Security requirements gap analysis and Architectural threat analysis in the early phases of software development life cycle.
This article, from Intel, discusses significant new threats to host agents, outlines a generic architecture for malware detection, based on enhanced cloud computing, describes how Intel platform technologies can be used to enhance computing solutions, and ends with a threat analysis of the approaches presented. Malware that masks its presence from traditional security agents is the article focus.
Botnets are the latest scourge to hit the Internet and this article defines a botnet (a collection of distributed computers or systems that has been taken over by rogue software), examines the botnet life cycle, and presents several promising anti-botnet defense strategies including canary detectors, white lists, and malware traces.
GitHub was recently compromised by a vulnerability in Ruby on Rails know as mass assignment. This vulnerability is thought to not only affect a large number of Ruby-based websites, but also those using ASP.NET MVC and other ORM-backed web frameworks.
Security researcher Alexander Klink and Julian Wälde revealed a serious vulnerability that until recently affected the vast majority of web server. The attack only requires a single HTTP request that is specially designed to create hash code collisions in POST form data. When first discovered this attack affected Python, Ruby, PHP, Java, and ASP.NET, but vendors have been working on patches.
Using a Padding Oracle (PO) attack a malicious user can access encrypted data such as cookies, state, membership password, etc. According to Juliano Rizzo and Thai Duong, two software engineers specialized in security, the security vulnerability affects JavaServer Faces, Ruby on Rails, ASP.NET and other technologies and platforms.
IBM has published the IBM X-Force® 2010 Mid-Year Trend and Risk Report August 2010 (112 pages long, free registration required) containing detailed information about the security vulnerabilities and exploits of 2010, such as JavaScript and PDF obfuscation, the current security threat trends in the enterprise, and a look into the future.
For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.
A security vulnerability that has hit Internet Explorer through .NET has also hit Firefox. The culprit for Firefox, a .NET add-on, has been put on Mozilla’s blocked list.
David Durham, manager of Intel's Security and Cryptography Research group, was recently interviewed on the subject of Internet and Computer Security. The interview covers a wide range of topics including the "monetization of malware," Cloud-based detection of malware, security of data stored in the Cloud, "Botnets in the Dark Cloud," and malware as a tool in geo-politics.
There has been a buzz around the Ruby on Rails community lately with discovered security vulnerabilities and subsequent updates every Rails developer should be made aware.
