Here's my one information security article that was published this week:Writing software requirements that address security issuesAs always, for my past information security content be sure to check out www.principlelogic.com/resources.html.Enjoy!...
Continue Reading...Here's another thought in the same spirit as my previous post where I talked about sharing out your desktop when using WebEx, GotoMeeting, and the like and then doing stuff that other people probably shouldn't see.I just attended a very unprofessional webcast put on by an otherwise respectable security vendor where a person on their end didn't have her phone muted. I could hear everything she was saying, part of ...
Continue Reading...Here's an information security article published this week:Integrating source code analysis into your database security measures As always, for my past information security content be sure to check out www.principlelogic.com/resources.html.Enjoy!...
Continue Reading...This is a very interesting story. Apparently attackers are automating SQL injections on vulnerable sites/apps with SQL Server backends. I've always been a big fan of automated SQL injection tools such as what HP's WebInspect has built-in but this brings a whole new meaning to automated SQL injection!Yet another reason you need to be testing your Web applications for security vulnerabilities consistently and without fail....
Continue Reading...Here are my articles and a podcast published this past week:Getting started with web application misuse casesFree security testing tools for Windows handheld devicesIns and outs of password securityAs always, for my past information security content be sure to check out www.principlelogic.com/resources.html.Enjoy!...
Continue Reading...Just one article published this week:The Essentials of Web Application Threat ModelingFor all of my past information security content be sure to check out www.principlelogic.com/resources.html.Enjoy!...
Continue Reading...Here's a webcast I recorded recently for SearchWindowsSecurity.com:Vulnerability Testing Blunders, Oversights, and Common Mistakes You Must Avoid...and a podcast interview with Mike Rothman:Hacker-Proof Your ApplicationsFor all of my past information security content be sure to check out www.principlelogic.com/resources.html....
Continue Reading...I just heard on the Clark Howard radio show that online brokerage firms are moving towards Web authentication technologies that require you to enter your password with your mouse. This is presumably to help keep the bad guys from gleaning your login credentials using keystroke loggers.I hear about this all the time - especially in the brokerage industry - where the bad guys capture your user name and password (off ...
Continue Reading...If you're running an ASP-based site on an IIS server (of course), check for any old or backup .asp files that have been renamed with a .old, .bak, or similar extension. If present, the pages won't be rendered and delivered as the original ASP files would be. Instead, the actual source code is revealed. Not good for business.Oh, this could just as easily happen other platforms. I just had Microsoft ...
Continue Reading...I came across the XecureCK tool in Brien Posey's recent SearchWindowsSecurity.com article. It's an application-specific program that's downloaded as an ActiveX control that must be installed on the user's browser (sort of ironic, eh?). It essentially creates an encrypted link between the Windows keyboard driver and the Web site to keep the user's credentials safe and secure...at least the credentials for that one Web site. Thinking back to my days ...
Continue Reading...