Security Management Strategies for the CIO
Email Alerts
-
Web application attacks: Building hardened apps
This security school lesson details the myriad of Web application attacks in circulation today, providing detailed explanations of SQL injection attacks, clickjacking, cross-site scripting and cross-site request forgery attacks and other Web-based at... partOfGuideSeries
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Black Hat conference 2010: News, podcasts and videos
Get updates on the latest happenings at the Black Hat 2010 conference with breaking news stories, and exclusive video and podcasts. Conference Coverage
-
Quiz: Securing the application layer
Take this quiz to test your knowledge of the information presented in the Integration of Networking and Security school lesson on securing the application layer. Quiz
-
Web application attacks security guide: Preventing attacks and flaws
This Web application attacks guide explains how Web application attacks occur, identifies Web application attack types, and provides Web application security tools and tactics to protect against them. Learning Guide
-
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Quiz
-
Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
Buffer overflow exploits and vulnerabilities can lead to serious harm to corporate Web applications, as well as embarrassing and costly data security breaches and system compromises. Learning Guide
-
SQL injection protection: A guide on how to prevent and stop attacks
In this SQL injection protection guide get advice on how to prevent and stop SQL injection attacks, also learn best practices on how to detect vulnerabilities. Learning Guide
-
Black Hat conference coverage 2009: News, podcasts and videos
The SearchSecurity.com team is live at the 2009 Black Hat conference. Look here for the latest headlines, interviews, podcasts and videos from Caesars Palace in Las Vegas. Special News Coverage
-
Quiz: Mitigating Web 2.0 threats
Take this five-question quiz to test your knowledge of social networking sites, software-as-a-service and common Web attacks and threats. Quiz
- See More: Essential Knowledge on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Research firm discovers new Java sandbox vulnerability
A Java sandbox flaw could allow malicious code to run on any system running Java 5, 6, or 7. Users are advised to disable the Java browser plugin. News | 26 Sep 2012
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News | 19 Sep 2012
-
Java sandboxing could thwart attacks, but design may be impossible
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more. News | 29 Aug 2012
-
UGNazi hacker group claims responsibility for Twitter outage
Hacktivist group UGNazi says it caused multiple Twitter outages Thursday. Update: Twitter says a "cascading bug" was to blame. News | 21 Jun 2012
-
Adobe pushes patch for actively exploited Flash Player vulnerability
Adobe is addressing a zero-day flaw in Flash Player being used by cybercriminals in email attacks targeting Internet Explorer users. News | 04 May 2012
-
New GrayWolf tool sheds light on Microsoft .NET application security
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them. News | 04 Aug 2011
-
Cross-site scripting vulnerability discovered in Adobe Flash Player
Adobe issued an update Sunday repairing the Flash Player flaw in the wake of targeted email attacks attempting to exploit the flaw. News | 06 Jun 2011
-
Software code analysis firm gives security vendors poor marks
The latest study of application code by Veracode found many applications submitted by software makers are of “unacceptable security quality.” News | 20 Apr 2011
-
Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com
Attack enabled hackers to gain access to various databases containing account credentials associated with the website. Article | 28 Mar 2011
-
Researcher breaks Adobe Flash sandbox security feature
Adobe is responding to a new method that breaks a security feature and prevents Flash files from passing data to remote systems; it is classified as "moderate" security threat. Article | 06 Jan 2011
- See More: News on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
How to use OWASP Broken Web Apps to prevent vulnerabilities
OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps. Tip
-
Enterprise PDF attack prevention best practices
Malicious PDF exploits are at an all-time high. Should enterprises dump PDFs altogether? Expert Michael Cobb answers that question and offers his key enterprise PDF attack prevention tactics. Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
Distributed denial-of-service protection: How to stop DDoS attacks
In this tip, which is a part of our Web Application Attacks Security Guide, you will learn what a distributed denial-of service (DDoS) attack is, and learn how to stop and prevent DDoS attacks by using intrusion prevention technologies and products. Tip
-
Preventing and stopping SQL injection hack attacks
In this tip, which is a part of our Web Application Attack Security Guide, you will learn methods, tools and best practices for preventing, avoiding and stopping SQL injection hack attacks. Tip
-
Prevent cross-site scripting hacks with tools, testing
In this tutorial, learn how to prevent cross-site scripting (XSS) attacks, how to avoid a hack, and how to fix vulnerabilities and issues with cross-site scripting prevention tools, system and application testing and several other defense and prevent... Tip
-
How to stop buffer-overflow attacks and find flaws, vulnerabilities
In this tip, which is part of our Web Application Attack Security Guide, learn how to stop buffer-overflow attacks from infiltrating your systems and learn how to find buffer-overflow flaws and vulnerabilities with protection and defense methods and ... Tip
-
Black box and white box testing: Which is best?
There's no question that testing application security is essential for enterprises, but which is better: black box security testing or white box security testing? Learn more in this expert tip. Tip
-
PCI management: The case for Web application firewalls
Expert Michael Cobb lays out the compliance and security benefits of Web application firewalls. Tip
-
Vulnerability test methods for application security assessments
Learn what to do when you have a huge portfolio of potentially insecure applications, limited resources and an overwhelming sense of urgency. Tip
- See More: Tips on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Defend against the SQL injection tool Havij, other SQL injection tools
Expert Nick Lewis discusses the dangers of the SQL injection tool Havij and provides tips to protect the enterprise against other SQL injection tools. Answer
-
Revisiting JRE security policy amid new ways to exploit Java
Expert Nick Lewis analyzes the increasing ability by hackers to exploit Java and the need to perform a JRE security policy analysis in response. Answer
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
Internet Explorer 8 XSS filter: Setting the bar for cross-site scripting prevention
The Internet Explorer 8 XSS filter can assist in cross-site scripting prevention. Michael Cobb explains how it works in this expert response. Answer
-
Free Web application vulnerability scanners to secure your apps
Expert Michael Cobb points to several free Web application vulnerability scanners to help prevent SQL injection or XSS exploits. Answer
-
Why it's important to turn on DEP and ASLR Windows security features
In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on. Ask the Expert
-
Should black-box, white-box testing be used together?
Learn why black-box, white-box testing should be used together when searching for Web application code vulnerabilities. Ask the Expert
-
Adobe Acrobat Reader security: Can patches be avoided?
Security expert Michael Cobb counters recent advice from Fiserv not to install Adobe Reader patches and says these updates are vital to security and must trump user functionality. Ask the Expert
-
SANS Top 25 programming errors: Application security best practices
Learn the SANS Top 25 programming errors and the best practices for application security. Ask the Expert
-
How to detect input validation errors and vulnerabilities
Expert John Strand reviews how to spot input validation flaws on your websites. Ask the Expert
- See More: Expert Advice on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
application blacklisting
Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabiliti... Definition
-
distributed denial-of-service attack (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Definition
-
cyberterrorism
According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub... Definition
-
JavaScript hijacking
JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML)... (Continued) Definition
-
buffer overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Definition
-
ping of death
On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. Definition
-
dictionary attack
A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an e... Definition
-
directory harvest attack (DHA)
A directory harvest attack (DHA) is an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database. Definition
-
cache poisoning (domain name system poisoning or DNS cache poisoning)
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. Definition
-
SYN flooding
SYN flooding is a method that the user of a hostile client program can use to conduct a denial-of-service (DoS) attack on a computer server. Definition
- See More: Definitions on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
An application security framework for infrastructure security managers
Video: Get a primer on common application attack methods and an application security framework to help infrastructure security teams. Video
-
Balancing security and performance: Protecting layer 7 on the network
This video will explain options for securing application-layer traffic using network security technologies, architectures and processes, including Layer 7 switches, firewalls, IDS/IPS, NBAD and more. Video
-
Defending against Internet security threats and attacks
From buffer overflows to cross-site scripting, Web threats are many. Security researchers at Information Security Decisions 2008 discuss how to keep enterprises safe from these attacks (part 2 of 4). Video
-
Research firm discovers new Java sandbox vulnerability
A Java sandbox flaw could allow malicious code to run on any system running Java 5, 6, or 7. Users are advised to disable the Java browser plugin. News
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News
-
Defend against the SQL injection tool Havij, other SQL injection tools
Expert Nick Lewis discusses the dangers of the SQL injection tool Havij and provides tips to protect the enterprise against other SQL injection tools. Answer
-
Java sandboxing could thwart attacks, but design may be impossible
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more. News
-
UGNazi hacker group claims responsibility for Twitter outage
Hacktivist group UGNazi says it caused multiple Twitter outages Thursday. Update: Twitter says a "cascading bug" was to blame. News
-
Revisiting JRE security policy amid new ways to exploit Java
Expert Nick Lewis analyzes the increasing ability by hackers to exploit Java and the need to perform a JRE security policy analysis in response. Answer
-
Adobe pushes patch for actively exploited Flash Player vulnerability
Adobe is addressing a zero-day flaw in Flash Player being used by cybercriminals in email attacks targeting Internet Explorer users. News
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
Web application attacks: Building hardened apps
This security school lesson details the myriad of Web application attacks in circulation today, providing detailed explanations of SQL injection attacks, clickjacking, cross-site scripting and cross-site request forgery attacks and other Web-based at... partOfGuideSeries
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
- See More: All on Application Attacks (Buffer Overflows, Cross-Site Scripting)
About Application Attacks (Buffer Overflows, Cross-Site Scripting)
Hackers have moved away from the operating system and are now concentrating much of their efforts on applications. Get the best news and information on recognizing vulnerabilities and defending against Web application and Web 2.0 attacks and threats such as buffer overflows and cross site scripting, denial-of service (DOS) attacks and SQL injections.