InfoQ Homepage Security Content on InfoQ
-
Security in the Software Development Lifecycle
Application security must be integrated into software development process. Late stage penetration testing is not sufficient because it will be too late and too expensive to fix mistakes. Steve Lipner from Microsoft spoke during the application security seminar at RSA conference last week about security in the software development lifecycle.
-
Bill Veghte on Securing the Enterprise in a Changing World
Bill Veghte from HP said that organizations need to adopt a new model for securing critical corporate infrastructure assets and information to support the modern business. He gave a keynote presentation at RSA 2011 Conference on Wednesday. IT is tied more closely to the business than ever and the new digital business model requires a new approach for managing security.
-
A Proposal for an HTTP Digital Signature Protocol and API
Bill Burke, JBoss's Chief Architect and REST Easy Project Lead, published last week a proposal for a Digital Signature Protocol over HTTP. "DSig" is rapidly gaining popularity, more than 10 years after it was designed, due to the emergence of composite applications and the need to establish trusted relationships between their clients and services.
-
Oracle Releases Hotfix for the Double.parseDouble Bug in Record Time
Oracle has released a hotfix for a recently re-discovered decade-old bug in the Java platform which could be used for denial of service attacks on servers. The fix was issued in record time.
-
Will SSL Collapse Under its Own Weight?
Lori MacVittie from F5 Networks provided an analysis of the recent adoption of NIST SSL Deployment Guidelines by the US Government as of January 2011. Since all commercial certificate authorities now issue only 2048-bit keys, the capacity of a server to process SSL is severely impacted and invalidates the general belief that SSL is not computationally expensive.
-
Allegations of a Backdoor in OpenBSD Are Not Confirmed
Some allegations regarding backdoors implemented at FBI’s request in OpenBSD’s IPsec stack were made earlier this month. After auditing the code, Theo de Raadt, the founder of OpenBSD, has concluded that there are no such threats in the open source operating system.
-
Security Assessment Techniques: Code Review v Pen Testing
Web application security testing and assessment should include both security code review and penetration testing techniques. Dave Wichers, an OWASP Board Member, spoke at the recent AppSec DC 2010 Conference about the pros and cons of code reviews and penetration testing approaches in finding security vulnerabilities in web applications.
-
Amazon AWS receives ISO 27001 Certfication
Last week, Amazon was awarded the ISO/IEC 27001 certification for Amazon Web Services, AWS. The certification is significant in that ISO 27001 mandates specific management controls and requirements to be in place.
-
AppSec DC: Neal Ziring on Application Assurance
Neal Ziring said that the role for developers is changing where they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also talked about application assurance process with focus on aspects like resilience and visibility.
-
Researchers Highlight Recent Uptick in Java Security Exploits
Microsoft researcher Holly Stewart highlighted last week that Java has recently surged ahead of Adobe Acrobat as a favorite target for hackers wanting to take over computers. InfoQ looks at the specific exploits used as well as which patch of Java fixes them.
-
Padding Oracle Affects JSF, Ruby on Rails, ASP.NET
Using a Padding Oracle (PO) attack a malicious user can access encrypted data such as cookies, state, membership password, etc. According to Juliano Rizzo and Thai Duong, two software engineers specialized in security, the security vulnerability affects JavaServer Faces, Ruby on Rails, ASP.NET and other technologies and platforms.
-
Is OAuth 2.0 Bad for the Web?
Eran Hammer-Lahav, one of the editors of the OAuth 2.0 specification, published a diatribe on the latest standard draft. For him, the current proposal mortgages the future of the Web. He sees the current specification focusing too much on simplicity for the application developer while severely limiting the ability to create discoverable and interoperable services.
-
IBM X-Force Report: Enterprise Security Exploits Are Rising
IBM has published the IBM X-Force® 2010 Mid-Year Trend and Risk Report August 2010 (112 pages long, free registration required) containing detailed information about the security vulnerabilities and exploits of 2010, such as JavaScript and PDF obfuscation, the current security threat trends in the enterprise, and a look into the future.
-
Will HTML5 be Secure Enough?
Joab Jackson wrote an article detailing some of the potential vulnerabilities of the HTML5 standard set. Will security be the Achilles' heel of HTML5?
-
Java EE 6: Application Security Enhancements
Java Enterprise Edition Version 6 release includes new security features in the areas of web container security as well as authentication and authorization aspects of Java application development. These features include programmatic and declarative security enforcement in the web tier. This post gives an overview of these new security features.