InfoQ Homepage Security Content on InfoQ
-
Can Architects Stop Financial Ruin and Market Meltdowns?
The purported fraud by Jerome Kerviel at Société Générale may bring down a major financial institution and may have caused markets to tumble worldwide. Attention has turned to systems intended to prevent fraud and other illegal activities. What role can software architects play in detecting and avoiding fraud and other suspicious behavior?
-
AntiSamy 1.0 Released - Protecting web applications from malicious HTML and CSS
AntiSamy aims to provide an API for protecting HTML and CSS code from malicious content such as XSS attacks. Version 1.0 was recently released, providing a Java implementation, with .Net and PHP to follow.
-
CrossFrame - Safe, Cross Domain Widget Coordination for Mashups
Julien Lecomte has announced the availability of CrossFrame - a JavaScript library for cross domain communication between widgets hosted on different hosts. The technique, while inherently dangerous, solves an outstanding problem facing Mashup developers.
-
Single Sign-On beyond the firewall
Taking a look at the challenges that lay ahead in the quest for Federated Identity Management.
-
HDIV 2.0: Security framework now integrates with Spring MVC and JSTL
HDIV, an open-source web application security framework, recently released version 2.0. InfoQ spoke with HDIV project lead Roberto Velasco Sarasola to learn more about this release.
-
Gone in 160 seconds - cracking passwords with Rainbow Hash Cracking
The Microsoft password strength checker rates "Fgpyyih804423" as a strong password, but the multi-platform password cracking tool ophcrack was able to crack it in 160 seconds using a Rainbow Hash Table attack. Jeff Atwood takes a look at this attack technique, and offers suggestions for safe password storage.
-
Don't Run as Administrator: WCF Edition
In an attempt to correct years of bad practices, Microsoft employees have been chanting "Don't Run as Administrator". This time around, Nicholas Allen covers assigning HTTP addresses to non-administrator user accounts, primarily for use by WCF.
-
Internet Explorer increases cookie limit to 50
Internet Explorer will now support 50 cookies per domain, but the performance implications of large HTTP request sizes require caution on the part of web developers.
-
XACML finally ready for prime time?
XACML, the eXtensible Access Control Markup Language, an Oasis standard approved more than 2 years ago, has been demonstrated to work cross vendor platforms on Burton's Catalyst Conference last week.
-
Article: Service Firewall Pattern
InfoQ publishes a sample pattern from Arnon Rotem-Gal-Oz' in-progress book SOA Patterns. Arnon explains how to use a Service Firewall to intercept messages to provide better security.
-
Not-Yet-Commons-SSL Provides Powerful (and Free) SSL Capabilities
Not-Yet-Commons-SSL is an Apache licensed Java library designed to simplify the use of SSL by providing an easy-to-use API along with robust support for a variety of certificate formats and configuration options.
-
HDIV Struts Security Extension Addresses OWASP's Top Security Vulnerabilities
The HDIV project recently released version 1.1 of their Apache-licensed Struts' Security extension. Among HDIV's features is that it guarantees integrity (no data modification) of non editable page data when transmitted from the browser to the server.
-
Deny Execute on Assembly Doesn't
According to Microsoft's SQL Programmability & API Development Team Blog, the Execute permission for CLR assemblies actually has no effect. To reduce confusion over this, the ability to grant execute permissions to assemblies has be removed from SQL Server 2005 SP 2.
-
WCF Security Analysis Available from the German Federal Office for Information Security
The German Federal Office for Information Security (BSI) has released their security analysis for Windows Communication Foundation along with a reference implementation.
-
How .NET Handles Standards Compliance that Result in Breaking Changes
Two security classes in .NET, HMACSHA512 and HMACSHA384, have a bug. It isn't an earth-shattering bug, but it does produce results that are inconsistent with the standard. The .NET Security team shows how this will be handed so that current applications won't break when the code gets fixed.