The latest SANS Top 20 has been released and according to SANS the #1 issue impacting the security of your servers is the web application code that lives on top of it.
I agree with them (in a totally biased way of course) but the data they cite leaves me with an uneasy feeling. SANS likes [...]
Entries from November 2007
SANS says the #1 Server Security issue is your web application
November 30th, 2007 ·
Tags: Security · web site security
Source Code Scanning is Dead
November 20th, 2007 ·
I sat through a demo of some source code scanning technology yesterday and about halfway through it hit me. Source code scanning is dead, but no one has realized it yet. Well maybe not dead, since dead would it imply it was alive one time, and that was never really proven to be the case.
Specifically [...]
Tags: Security · Security Industry
Apple blocks the word script
November 19th, 2007 ·
Jordan Weins post about the exact problem with offensive defense systems on his blog How Not to protect your webap. Great job Apple, the word “script” is so evil I can’t do a search for Applescript. So would argue this is a good thing, especially if they have seen any of the Applescript I have [...]
Tags: web site security
When Defenses are Offensive
November 19th, 2007 ·
Cory Doctrow has a good article on the differences between the speed of detected an attack and the automated response to it and the slowness in recovering from a mis-applied block.
As usual Cory outlines it is brilliantly simple, straight forward terms that anyone can understand. I used this tactic quite a bit when pen-testing in [...]
Tags: Security · web site security
Hackers Buy Ads to Install Malware
November 16th, 2007 ·
I have been waiting for this is happen for a while now. Jeremiah and I discussed this about a year ago while thinking about the fastest way to deploy malware across the web. Our idea was slightly different but the same principles apply, buy your way on to the big sites with ads or convince [...]
Tags: Security
ZoneAlarm Free Today!
November 14th, 2007 ·
Get a free copy of ZoneAlarm today. Zone Alarm is a Anti-Spyware tool for Windows XP/2000. Offer expires today at 8 p.m. ET.
Free ZoneAlarm
If you enjoyed this post, make sure you subscribe to my RSS feed!
Tags: Security
Half Million DB servers exposed
November 14th, 2007 ·
I think this is a low number actually. David Litchfield surveyed a million IP addresses and attempted to find open MS SQL Servers and open Oracle server ports. Litchfield found 157 SQL servers and 53 Oracle servers then did some math to extrapolate out the half million number.
Here is why I think this number is [...]
Tags: Security
When Do You Need Consultants?
November 14th, 2007 ·
This is part one of a continuing series about how to use information security consultants effectively.
Before you rush off and burn that budget on a couple of weeks worth of consulting it is important to spend a little time to figure out why you need a consultant in the first place ad what exactly you [...]
Tags: Security
Penetration Test vs. Assessment
November 13th, 2007 ·
This terminology has always been a peeve of mine. People asking for a penetration test rarely want an actual penetration test. This is what a penetration test is:
Find a vulnerability, any vulnerability and exploit it to reach your target.
Basically you are hiring someone to break into your system, to prove someone can break into your [...]
Tags: Security · Security Industry
Is Your Security Consultant Hacking You?
November 11th, 2007 ·
I am surprised I didn’t think of this! This security consultant was not satisfied with a high bill rate so he installed Trojans on his clients machines and stole their PayPal usernames and passwords. He had command of a 250,000 node botnet according to authorities so he must have had a lot of clients.
“John [...]
Tags: Security Industry
