owasp

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

Best Practices: Use of Web Application Firewalls

Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not...

Tags: Web Application, Best Practice, Application Firewall, OWASP, Cloud Computing, Firewalls, Security, Networking

White papers 2008-05-01

OWASP gets Fortify-ed (Now with 45ò0more security)

OWASP gets Fortify-ed (Now with 45ò0more security)OWASP & PCI & Fortify discussed at pciFile.ORGWe are fans of Fortify over at pciFile. Good tool that can be used as an effective compensating control for a number of PCI RequirementsTo see more discussion on PCI - go to the PCI...

Tags: PCI, Fortify-ed, OWASP, security

Discussion threads 2006-07-31

OWASP gets Fortify-ed (Now with 45% more security)

Fortify Software, which identifies and remediates software vulnerabilities, has contributed its collection of 115 types of software security errors to the Open Web Application Security Project OWASP, a six-year old non-profit with almost 5,000 members whose “mission is to find and fight the causes of insecure software.” The work will...

Tags: OWASP, Fortify

Blog posts 2006-07-31

Additional Resources

Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure Cloud Computing

Cloud computing was not designed for security, although organizations such as Cloud Security Alliance CSA and Open Web Application Security Project OWASP are making great strides in helping the industry solve the myriad security problems confronting cloud computing. The benchmark guidelines established by the CSA in the document, Guidance for...

Tags: Security, Firewall, Web Application, Application Firewall, Cloud Computing, Virtualization, Hardware

White papers 2009-07-22

Security Pitfalls in Stripes Web Applications

The Stripes framework (www.stripesframework.org) is a Java web presentation framework that aims to ease the process of creating Java based web applications, by favouring defaults over verbose configuration and by providing a single backing bean for both properties and methods. This paper covers Stripes version 1.5.1 from www.stripesframework.org. It exposes...

Tags: Security, Web, Web Application, Corsaire, Cloud Computing

White papers 2009-05-11

URL rewriting can help thwart Web app attacks

A Microsoft Web application security specialist is suggesting an offbeat defense-in-depth strategy to protect Web sites and applications from cross-site scripting XSS and cross-site request forgery XSRF attacks. According to Bryan Sullivan, security program manager for Redmond's Security Development Lifecycle team, Web developers should consider URL Rewriting...

Tags: Hyperlink, Attacker, Vulnerability, XSS, Web Application, Attack, Microsoft Web Application Security Specialist, Bryan Sullivan, E-mail, Security, Online Communications, Ryan Naraine

Blog posts 2009-02-27

WebDefend and the OWASP Top Ten

With all the web application attacks and vulnerabilities surfacing - it is hard to know where to focus the security efforts. Luckily, OWASP produces the OWASP Top Ten list to raise awareness of web application security. This list is an outstanding starting point for prioritizing web application security attacks and...

Tags: Web Application, Breach Security, WebDefend, Cloud Computing, Security

Webcasts 2009-01-01

Outsmarting Tomorrow's Hackers Today

Network IDS/IPS and first-generation Web Application Firewalls WAFs don't protect against today's sophisticated web application threats, such as cross-site scripting, injection flaws and other vulnerabilities listed on the OWASP Top 10. IT professionals need the necessary visibility into their web application security to understand how applications are being used, when...

Tags: Web Application, Hacker, Breach Security, Cloud Computing

Webcasts 2009-01-01

'Dumbing down' the security profession

* Ryan Naraine is traveling. Guest editorial by Shyama Rose The market for the development and implementation of source code analysis static and dynamic tools is swelling. Companies are increasingly relying on source code analysis tools to identify security-related vulnerabilities. The demand and reliance...

Tags: Analysis Tool, Vulnerability, Analysis, Tool, Productivity, Security, Ryan Naraine

Blog posts 2008-12-01

Clickjacking: Researchers raise alert for scary new cross-browser exploit

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ] Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple...

Tags: JavaScript, Web Browser, Web Browsers, Scripting Languages, Internet, Software/Web Development, Web Development, Ryan Naraine

Blog posts 2008-09-25

The empty debate over open source security

The empty debate over open source securityAll Code InsecureGo browse OWASP. This article really doesnt say much of anything.Inherently Insecure Open Source! - COXMy rep almost lost his appetite as he told me about all of the years old Open source viriuses! He described it as a boiling over sewer...

Tags: open source security, open source

Discussion threads 2008-08-01

2008 Pwnie Award nominees announced

Well, after getting 134 nominations, and spending countless hours pulling out nominees, the judges for the 2008 Pwnie Awards have announced the final nominees to be voted on.  From the site: The final list of nominees for the nine Pwnie Award categories is ...

Tags: Attack, Flaw, Lifelock, Nathan McFeters, Nominee, Security, Vulnerability, XSS, XSS Flaw

Blog posts 2008-07-21

Security is hard, accept it

* Ryan Naraine is on vacation. Guest editorial by Dr Jose Nazario The past 10 or 15 years have been about the same things, largely, over and over again: input problems into single system applications or kernels. Buffer overflows (splitvt! NCSA...

Tags: Security, Ryan Naraine

Blog posts 2008-07-10

Kaminsky and Ptacek comment on DNS flaw

Well, well, well, what a day for security news! I got a chance to get the scoop word of mouth from Dan Kaminsky of IOActive (pictured above [image courtesy of quinnums]) and Thomas Ptacek of Matasano pictured below on the DNS flaw that's been all over the...

Tags: DNS, Flaw, Nate, Domain Names, Networking, Security, Internet, Nathan McFeters

Blog posts 2008-07-08

News to know: Searching Silverlight; IE 8; Dell; Google vs. YouTube

Notable headlines: Mary Jo Foley: Microsoft: Silverlight content searchable, too Ryan Stewart: Brian Goldfarb talks about Silverlight 2 and Deep Zoom with Michael Cot LineRider releases a Silverlight 2 version Microsoft steps up self-policing of its OSI-approved source licenses ...

Tags: Apple iPhone, Security, Google Inc., Dell Computer Corp., Microsoft Silverlight, Mobile, YouTube Inc., Microsoft Internet Explorer, Microsoft Corp., Linux, UNIX, Keyboards, Operating Systems, Advertising & Promotion, Open Source, Software, Hardware, Peripherals, Marketing, Larry Dignan

Blog posts 2008-07-03

PCI-DSS 1.1 points to outdated OWASP Top 10

OK, I'm not going to freak out about this too bad... I've already pointed out enough problems with PCI, but I did find it morbidly entertaining.  My good friend Jeremiah Grossman pictured at right blogged today about the PCI-DSS 1.1 section 6.5, which covers "prevention of common coding vulnerabilities in...

Tags: XSS, PCI, Security, Storage, Hardware, Nathan McFeters

Blog posts 2008-07-02

90ò0of all statistics can be made to say anything... 50ò0of the time, aka my thoughts on the Verizon report

90ò0of all statistics can be made to say anything... 50ò0of the time, aka my thoughts on the Verizon reportHow many breaches from External...sources were facilitated by poor practices of inside sources? Weak passwords, poor surfing habits, poor security implementations, etc. External breaches only occur when an insider allows it to...

Tags: Firewalls, SECURITY, NETWORKING, Network security, Verizon Communications Inc., WAF

Discussion threads 2008-06-23

Morse Code Rickroll 0-day... no, seriously, I mean it

In the security research world, getting Rickrolled has become a global epidemic.  If you've been to any of the recent conferences, you're sure to have been Rickrolled at least once... if you were fortunate enough to be at ToorCon Seattle, then you got Rickrolled about 300 times by Dan Kaminsky....

Tags: Morse Plc., I/O, XSS, Encryption, Security, Nathan McFeters

Blog posts 2008-05-04

Security expert discusses a possible future for PCI-DSS... it's grim

Jeremiah Grossman discussed some recent comments about section 6.6 of the PCI standard made by Standards Council General Manager Bob Russo in a recent Information Security magazine article.  I found a lot of thoughts I share with Grossman.  Grossman says: I have a love-hate relationship with PCI-DSS. Love it...

Tags: Security, PCI, Web Application, Application Firewall, Security Expert, Jeremiah Grossman, Ruso, Firewalls, Networking, Nathan McFeters

Blog posts 2008-04-14

Microsoft 'Oxygen' security-management platform in the works

Microsoft has hired security expert Mark Curphey, the former Chief Technology Officer of SourceClear, who is bringing with him to Microsoft the "Oxygen" security platform and security-lifecycle applications he had been developing. Curphey is joining the company as a member of the Application, Consulting and Engineering ACE...

Tags: Oxygen, Microsoft Corp., Curphey, Security, Mary Jo Foley

Blog posts 2007-10-09