InfoQ Homepage Security Content on InfoQ
-
Don't Run as Administrator: WCF Edition
In an attempt to correct years of bad practices, Microsoft employees have been chanting "Don't Run as Administrator". This time around, Nicholas Allen covers assigning HTTP addresses to non-administrator user accounts, primarily for use by WCF.
-
Internet Explorer increases cookie limit to 50
Internet Explorer will now support 50 cookies per domain, but the performance implications of large HTTP request sizes require caution on the part of web developers.
-
XACML finally ready for prime time?
XACML, the eXtensible Access Control Markup Language, an Oasis standard approved more than 2 years ago, has been demonstrated to work cross vendor platforms on Burton's Catalyst Conference last week.
-
Article: Service Firewall Pattern
InfoQ publishes a sample pattern from Arnon Rotem-Gal-Oz' in-progress book SOA Patterns. Arnon explains how to use a Service Firewall to intercept messages to provide better security.
-
Not-Yet-Commons-SSL Provides Powerful (and Free) SSL Capabilities
Not-Yet-Commons-SSL is an Apache licensed Java library designed to simplify the use of SSL by providing an easy-to-use API along with robust support for a variety of certificate formats and configuration options.
-
HDIV Struts Security Extension Addresses OWASP's Top Security Vulnerabilities
The HDIV project recently released version 1.1 of their Apache-licensed Struts' Security extension. Among HDIV's features is that it guarantees integrity (no data modification) of non editable page data when transmitted from the browser to the server.
-
Deny Execute on Assembly Doesn't
According to Microsoft's SQL Programmability & API Development Team Blog, the Execute permission for CLR assemblies actually has no effect. To reduce confusion over this, the ability to grant execute permissions to assemblies has be removed from SQL Server 2005 SP 2.
-
WCF Security Analysis Available from the German Federal Office for Information Security
The German Federal Office for Information Security (BSI) has released their security analysis for Windows Communication Foundation along with a reference implementation.
-
How .NET Handles Standards Compliance that Result in Breaking Changes
Two security classes in .NET, HMACSHA512 and HMACSHA384, have a bug. It isn't an earth-shattering bug, but it does produce results that are inconsistent with the standard. The .NET Security team shows how this will be handed so that current applications won't break when the code gets fixed.
-
SOA: Beyond the Hype and SDL
InfoQ sits down with Mohammad Akif, a Microsoft Architect Evangelist, to discuss the myths of SOA, common pitfalls in designing for SOA, J2EE and .NET interoperability and injecting the Security Development Lifecycle into enterprise development lifecycles.
-
Presentation: Security Assertion Markup Language
SAML has emerged as the gold standard for building Cross-Domain SSO solutions and is a key technology in the domain of federated identity management. This presentation from Javapolis presents the basic concepts of SAML including assertions, attributes, artifacts, bindings and profiles, the problems SAML solves, how it works in real life.
-
RubySSPI is Big News for Ruby Developers on Windows
Are you behind an ISA proxy that authenticates all traffic? This library enables your ruby scripts to authenticate with the proxy as the current user seamlessly. After a few simple steps, you should be able to successfully install things like Ruby on Rails by simply typying gem install rails, exactly how non-Windows users get to do.
-
Using Native Platform Security in Java 6
Java 6 will enhance the ability to leverage the native security features of the underlying deployment platform. Included in Java 6 is the ability to access the Microsoft CryptoAPI, PKCS#11 services, use the native GSS-API implementation, and import and export PKCS#12 Keystores.
-
Study Shows That 11% of Sites Are Vulnerable to SQL Injection Attacks
In an informal study, Michael Sutton of SPI Dynamics was able to demonstrate that 80 out of 708 tested web sites were susceptible to SQL injection attacks.
-
IBM Buys Internet Security Systems
Continuing the acquisition rampage, IBM acquires Internet Security Systems for 1.3 Billion in cash. In the past weeks, IBM has acquired Webify, Filenet and MRO systems. What does this acquisiton rampage suggest?