CGISecurity - Website and Application Security Newstag:typepad.com,2003:weblog-16948542008-11-19T10:28:12-08:00All things related to website, database, SDL, and application security since 2000.
CGISecurityAutomated security testing & its limitationstag:typepad.com,2003:post-587394122008-11-19T10:28:12-08:002008-11-19T10:28:20-08:00"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given...Roberthttp://www.cgisecurity.net/2008/11/automated-secur.htmlMetasploit Framework 3.2 Releasedtag:typepad.com,2003:post-587367182008-11-19T09:33:14-08:002008-11-19T09:34:43-08:00"Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 -- The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and is backed by a community-based development...Roberthttp://www.cgisecurity.net/2008/11/metasploit-fram.htmlMicrosoft to offer free Antivirustag:typepad.com,2003:post-587356422008-11-19T09:11:06-08:002008-11-19T09:11:16-08:00"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker...Roberthttp://www.cgisecurity.net/2008/11/microsoft-to-of.htmlUnderstanding How to Use the Microsoft's Exploitability Indextag:typepad.com,2003:post-586774882008-11-18T09:58:47-08:002008-11-18T09:58:55-08:00"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment...Roberthttp://www.cgisecurity.net/2008/11/understanding-h.htmlIntegrity-178B Secure OS Gets Highest NSA Rating, Goes Commercial tag:typepad.com,2003:post-586757122008-11-18T09:22:35-08:002008-11-18T09:22:43-08:00"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company...Roberthttp://www.cgisecurity.net/2008/11/integrity-178b.htmlMS explains 7-year patch delaytag:typepad.com,2003:post-586164942008-11-17T10:03:57-08:002008-11-17T10:04:21-08:00"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult...Roberthttp://www.cgisecurity.net/2008/11/ms-explains-7-y.htmlFirefox 3.0.4 Released to address multiple security flawstag:typepad.com,2003:post-584702302008-11-13T10:11:34-08:002008-11-13T12:43:30-08:00A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA 2008-54 Buffer overflow in...Roberthttp://www.cgisecurity.net/2008/11/firefox-304-rel.html.NET Framework rootkits - backdoors inside your framework tag:typepad.com,2003:post-584661322008-11-13T09:24:51-08:002008-11-14T13:20:00-08:00"The paper introduces a new method that enables an attacker to change the.NET language, and to hide malicious code inside its core. It covers various ways to develop rootkits for the .NET framework, sothat every EXE/DLL that runs on a modified Framework will behavedifferently than what it's supposed to do. Code...Roberthttp://www.cgisecurity.net/2008/11/net-framework-r.htmlDNS inventor blames wrangling for insecure interwebtag:typepad.com,2003:post-584199502008-11-12T12:33:50-08:002008-11-12T12:33:57-08:00"DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing...Roberthttp://www.cgisecurity.net/2008/11/dns-inventor-bl.htmlVisa Card Features Buttons and Screen to Generate CCV Dynamicallytag:typepad.com,2003:post-584124122008-11-12T09:51:07-08:002008-11-12T12:46:22-08:00A co worker sent me this link yesterday afternoon. "Using what appears to be Visa's mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways....Roberthttp://www.cgisecurity.net/2008/11/visa-card-featu.html