InfoQ Homepage Security Content on InfoQ
-
Allegations of a Backdoor in OpenBSD Are Not Confirmed
Some allegations regarding backdoors implemented at FBI’s request in OpenBSD’s IPsec stack were made earlier this month. After auditing the code, Theo de Raadt, the founder of OpenBSD, has concluded that there are no such threats in the open source operating system.
-
Security Assessment Techniques: Code Review v Pen Testing
Web application security testing and assessment should include both security code review and penetration testing techniques. Dave Wichers, an OWASP Board Member, spoke at the recent AppSec DC 2010 Conference about the pros and cons of code reviews and penetration testing approaches in finding security vulnerabilities in web applications.
-
Amazon AWS receives ISO 27001 Certfication
Last week, Amazon was awarded the ISO/IEC 27001 certification for Amazon Web Services, AWS. The certification is significant in that ISO 27001 mandates specific management controls and requirements to be in place.
-
AppSec DC: Neal Ziring on Application Assurance
Neal Ziring said that the role for developers is changing where they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also talked about application assurance process with focus on aspects like resilience and visibility.
-
Researchers Highlight Recent Uptick in Java Security Exploits
Microsoft researcher Holly Stewart highlighted last week that Java has recently surged ahead of Adobe Acrobat as a favorite target for hackers wanting to take over computers. InfoQ looks at the specific exploits used as well as which patch of Java fixes them.
-
Padding Oracle Affects JSF, Ruby on Rails, ASP.NET
Using a Padding Oracle (PO) attack a malicious user can access encrypted data such as cookies, state, membership password, etc. According to Juliano Rizzo and Thai Duong, two software engineers specialized in security, the security vulnerability affects JavaServer Faces, Ruby on Rails, ASP.NET and other technologies and platforms.
-
Is OAuth 2.0 Bad for the Web?
Eran Hammer-Lahav, one of the editors of the OAuth 2.0 specification, published a diatribe on the latest standard draft. For him, the current proposal mortgages the future of the Web. He sees the current specification focusing too much on simplicity for the application developer while severely limiting the ability to create discoverable and interoperable services.
-
IBM X-Force Report: Enterprise Security Exploits Are Rising
IBM has published the IBM X-Force® 2010 Mid-Year Trend and Risk Report August 2010 (112 pages long, free registration required) containing detailed information about the security vulnerabilities and exploits of 2010, such as JavaScript and PDF obfuscation, the current security threat trends in the enterprise, and a look into the future.
-
Will HTML5 be Secure Enough?
Joab Jackson wrote an article detailing some of the potential vulnerabilities of the HTML5 standard set. Will security be the Achilles' heel of HTML5?
-
Java EE 6: Application Security Enhancements
Java Enterprise Edition Version 6 release includes new security features in the areas of web container security as well as authentication and authorization aspects of Java application development. These features include programmatic and declarative security enforcement in the web tier. This post gives an overview of these new security features.
-
Mobile Malware: New Threat Requires New Response
Smart phones and mobile computers must deal with a new breed of security threat. Software countermeasures are available, but user awareness and user education are key elements of any protection scheme.
-
The Rugged Software Manifesto
Security, is often either an oversight or an afterthought for most software projects. Most development teams would rather focus on getting more functionality on the table than spend time to evade a possible security breach. In order to help developers realize the importance of rugged software Joshua Corman, David Rice and Jeff Williams founded the Rugged Software Manifesto.
-
Learning About Security Vulnerabilities by Hacking Google’s Jarlsberg
For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.
-
CWE/SANS Top 25 Programming Errors
Common Weakness Enumeration (CWE), a strategic initiative sponsored by the U.S. Department of Homeland Security, has published the document 2010 CWE/SANS Top 25 Most Dangerous Programming Errors, a list of 25 code errors that lead, in authors’ opinion, to the worst software vulnerabilities.
-
Dealing with REST Services Security
With REST gaining popularity for SOA implementations, the issue of REST services security becomes more and more important each day. In their article, Why REST security doesn't exist, Chris Comerford and Pete Soderling discuss approaches to securing REST services.