InfoQ Homepage Security Content on InfoQ
-
AppSec DC: Neal Ziring on Application Assurance
Neal Ziring said that the role for developers is changing where they have become the first line of defense for applications. Neal presented the keynote session at AppSec DC 2010 conference last week. He also talked about application assurance process with focus on aspects like resilience and visibility.
-
Researchers Highlight Recent Uptick in Java Security Exploits
Microsoft researcher Holly Stewart highlighted last week that Java has recently surged ahead of Adobe Acrobat as a favorite target for hackers wanting to take over computers. InfoQ looks at the specific exploits used as well as which patch of Java fixes them.
-
Padding Oracle Affects JSF, Ruby on Rails, ASP.NET
Using a Padding Oracle (PO) attack a malicious user can access encrypted data such as cookies, state, membership password, etc. According to Juliano Rizzo and Thai Duong, two software engineers specialized in security, the security vulnerability affects JavaServer Faces, Ruby on Rails, ASP.NET and other technologies and platforms.
-
Is OAuth 2.0 Bad for the Web?
Eran Hammer-Lahav, one of the editors of the OAuth 2.0 specification, published a diatribe on the latest standard draft. For him, the current proposal mortgages the future of the Web. He sees the current specification focusing too much on simplicity for the application developer while severely limiting the ability to create discoverable and interoperable services.
-
IBM X-Force Report: Enterprise Security Exploits Are Rising
IBM has published the IBM X-Force® 2010 Mid-Year Trend and Risk Report August 2010 (112 pages long, free registration required) containing detailed information about the security vulnerabilities and exploits of 2010, such as JavaScript and PDF obfuscation, the current security threat trends in the enterprise, and a look into the future.
-
Will HTML5 be Secure Enough?
Joab Jackson wrote an article detailing some of the potential vulnerabilities of the HTML5 standard set. Will security be the Achilles' heel of HTML5?
-
Java EE 6: Application Security Enhancements
Java Enterprise Edition Version 6 release includes new security features in the areas of web container security as well as authentication and authorization aspects of Java application development. These features include programmatic and declarative security enforcement in the web tier. This post gives an overview of these new security features.
-
Mobile Malware: New Threat Requires New Response
Smart phones and mobile computers must deal with a new breed of security threat. Software countermeasures are available, but user awareness and user education are key elements of any protection scheme.
-
The Rugged Software Manifesto
Security, is often either an oversight or an afterthought for most software projects. Most development teams would rather focus on getting more functionality on the table than spend time to evade a possible security breach. In order to help developers realize the importance of rugged software Joshua Corman, David Rice and Jeff Williams founded the Rugged Software Manifesto.
-
Learning About Security Vulnerabilities by Hacking Google’s Jarlsberg
For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.
-
CWE/SANS Top 25 Programming Errors
Common Weakness Enumeration (CWE), a strategic initiative sponsored by the U.S. Department of Homeland Security, has published the document 2010 CWE/SANS Top 25 Most Dangerous Programming Errors, a list of 25 code errors that lead, in authors’ opinion, to the worst software vulnerabilities.
-
Dealing with REST Services Security
With REST gaining popularity for SOA implementations, the issue of REST services security becomes more and more important each day. In their article, Why REST security doesn't exist, Chris Comerford and Pete Soderling discuss approaches to securing REST services.
-
U-Prove Offers Security while Protecting Privacy
Microsoft has open sourced U-Prove CTP, a cryptographic solution technology used for performing authentication without disclosing personal information about the user. The CTP contains U-Prove Cryptographic Specification V1.0, a C# and a Java reference implementation of the specification, extensions for WIF, AD FS 2 and CardSpace 2, plus a number of whitepapers explaining the technology.
-
Top 10 Web Software Application Security Risks
OWASP, an open and free organization focused on evaluating and improving software application security, has released the OWASP Top 10 Application Security Risks – 2010 RC1, a whitepaper documenting the top 10 web application security risks along with details on how threat agents can exploit these possible vulnerabilities, accompanied with examples and advice on what can be done to avoid them.
-
First Rails 3 Beta Released
The first beta of Rails 3 is available. Rails 3 is a major rewrite of the codebase bringing with it stable APIs and design decisions inspired by Merb, cleaner internals, performance improvements and much more. InfoQ takes a look at the changes in Rails 3, and on which Ruby implementations it runs.