Security Management Strategies for the CIO
Email Alerts
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Black Hat conference 2010: News, podcasts and videos
Get updates on the latest happenings at the Black Hat 2010 conference with breaking news stories, and exclusive video and podcasts. Conference Coverage
-
Quiz: Securing the application layer
Take this quiz to test your knowledge of the information presented in the Integration of Networking and Security school lesson on securing the application layer. Quiz
-
Web application attacks security guide: Preventing attacks and flaws
This Web application attacks guide explains how Web application attacks occur, identifies Web application attack types, and provides Web application security tools and tactics to protect against them. Learning Guide
-
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Quiz
-
Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
Buffer overflow exploits and vulnerabilities can lead to serious harm to corporate Web applications, as well as embarrassing and costly data security breaches and system compromises. Learning Guide
-
SQL injection protection: A guide on how to prevent and stop attacks
In this SQL injection protection guide get advice on how to prevent and stop SQL injection attacks, also learn best practices on how to detect vulnerabilities. Learning Guide
-
Black Hat conference coverage 2009: News, podcasts and videos
The SearchSecurity.com team is live at the 2009 Black Hat conference. Look here for the latest headlines, interviews, podcasts and videos from Caesars Palace in Las Vegas. Special News Coverage
-
Quiz: Mitigating Web 2.0 threats
Take this five-question quiz to test your knowledge of social networking sites, software-as-a-service and common Web attacks and threats. Quiz
-
Googling Security: How Much Does Google Know About You?
In an excerpt from Googling Security: How Much Does Google Know About You?, author Greg Conti explains how attackers exploit advertising networks to compromise end-user machines. Book Chapter
- See More: Essential Knowledge on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Adobe pushes patch for actively exploited Flash Player vulnerability
Adobe is addressing a zero-day flaw in Flash Player being used by cybercriminals in email attacks targeting Internet Explorer users. News | 04 May 2012
-
New GrayWolf tool sheds light on Microsoft .NET application security
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them. News | 04 Aug 2011
-
Cross-site scripting vulnerability discovered in Adobe Flash Player
Adobe issued an update Sunday repairing the Flash Player flaw in the wake of targeted email attacks attempting to exploit the flaw. News | 06 Jun 2011
-
Software code analysis firm gives security vendors poor marks
The latest study of application code by Veracode found many applications submitted by software makers are of “unacceptable security quality.” News | 20 Apr 2011
-
Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com
Attack enabled hackers to gain access to various databases containing account credentials associated with the website. Article | 28 Mar 2011
-
Researcher breaks Adobe Flash sandbox security feature
Adobe is responding to a new method that breaks a security feature and prevents Flash files from passing data to remote systems; it is classified as "moderate" security threat. Article | 06 Jan 2011
-
Mozilla extends bug bounty to Web application vulnerabilities
Mozilla will reward vulnerability hunters for critical flaws found on a dozen Mozilla websites. Article | 15 Dec 2010
-
Cross-site scripting Twitter attack causes chaos
A cross-site scripting Twitter attack could have been exploited to spread dangerous malware and steal user data, experts said. Article | 21 Sep 2010
-
Adobe issues warning about zero-day vulnerability in Flash Player
Alert follows last week's warning of a critical flaw in Reader, Acrobat. Article | 13 Sep 2010
-
Adobe warns of critical zero-day flaw in Reader, Acrobat
No patch yet available for zero-day vulnerability that is reportedly being exploited in the wild. Article | 08 Sep 2010
- See More: News on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
How to use OWASP Broken Web Apps to prevent vulnerabilities
OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps. Tip
-
Enterprise PDF attack prevention best practices
Malicious PDF exploits are at an all-time high. Should enterprises dump PDFs altogether? Expert Michael Cobb answers that question and offers his key enterprise PDF attack prevention tactics. Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
How to stop buffer-overflow attacks and find flaws, vulnerabilities
In this tip, which is part of our Web Application Attack Security Guide, learn how to stop buffer-overflow attacks from infiltrating your systems and learn how to find buffer-overflow flaws and vulnerabilities with protection and defense methods and ... Tip
-
Distributed denial-of-service protection: How to stop DDoS attacks
In this tip, which is a part of our Web Application Attacks Security Guide, you will learn what a distributed denial-of service (DDoS) attack is, and learn how to stop and prevent DDoS attacks by using intrusion prevention technologies and products. Tip
-
Prevent cross-site scripting hacks with tools, testing
In this tutorial, learn how to prevent cross-site scripting (XSS) attacks, how to avoid a hack, and how to fix vulnerabilities and issues with cross-site scripting prevention tools, system and application testing and several other defense and prevent... Tip
-
Preventing and stopping SQL injection hack attacks
In this tip, which is a part of our Web Application Attack Security Guide, you will learn methods, tools and best practices for preventing, avoiding and stopping SQL injection hack attacks. Tip
-
Black box and white box testing: Which is best?
There's no question that testing application security is essential for enterprises, but which is better: black box security testing or white box security testing? Learn more in this expert tip. Tip
-
PCI management: The case for Web application firewalls
Expert Michael Cobb lays out the compliance and security benefits of Web application firewalls. Tip
-
Vulnerability test methods for application security assessments
Learn what to do when you have a huge portfolio of potentially insecure applications, limited resources and an overwhelming sense of urgency. Tip
- See More: Tips on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
Internet Explorer 8 XSS filter: Setting the bar for cross-site scripting prevention
The Internet Explorer 8 XSS filter can assist in cross-site scripting prevention. Michael Cobb explains how it works in this expert response. Answer
-
Free Web application vulnerability scanners to secure your apps
Expert Michael Cobb points to several free Web application vulnerability scanners to help prevent SQL injection or XSS exploits. Answer
-
Why it's important to turn on DEP and ASLR Windows security features
In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on. Ask the Expert
-
Should black-box, white-box testing be used together?
Learn why black-box, white-box testing should be used together when searching for Web application code vulnerabilities. Ask the Expert
-
Adobe Acrobat Reader security: Can patches be avoided?
Security expert Michael Cobb counters recent advice from Fiserv not to install Adobe Reader patches and says these updates are vital to security and must trump user functionality. Ask the Expert
-
SANS Top 25 programming errors: Application security best practices
Learn the SANS Top 25 programming errors and the best practices for application security. Ask the Expert
-
How to detect input validation errors and vulnerabilities
Expert John Strand reviews how to spot input validation flaws on your websites. Ask the Expert
-
How to secure SSL following new man-in-the-middle SSL attacks
Man-in-the-middle SSL attacks at Black Hat D.C. exposed a flaw in the https structure, so how can you avoid such an attack at your enterprise? Find out in Mike Chapple's expert response. Ask the Expert
-
How to secure a website containing badware (banner82)
In an expert Q&A, John Strand reviews how SQL injection attacks can lead to banner82 attacks and a "badware" label for your website. Ask the Expert
- See More: Expert Advice on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
application blacklisting
Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabiliti... Definition
-
distributed denial-of-service attack (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Definition
-
cyberterrorism
According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub... Definition
-
JavaScript hijacking
JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML)... (Continued) Definition
-
buffer overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Definition
-
ping of death
On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. Definition
-
dictionary attack
A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an e... Definition
-
directory harvest attack (DHA)
A directory harvest attack (DHA) is an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database. Definition
-
cache poisoning (domain name system poisoning or DNS cache poisoning)
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. Definition
-
SYN flooding
SYN flooding is a method that the user of a hostile client program can use to conduct a denial-of-service (DoS) attack on a computer server. Definition
- See More: Definitions on Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
Balancing security and performance: Protecting layer 7 on the network
This video will explain options for securing application-layer traffic using network security technologies, architectures and processes, including Layer 7 switches, firewalls, IDS/IPS, NBAD and more. Video
-
Defending against Internet security threats and attacks
From buffer overflows to cross-site scripting, Web threats are many. Security researchers at Information Security Decisions 2008 discuss how to keep enterprises safe from these attacks (part 2 of 4). Video
-
Adobe pushes patch for actively exploited Flash Player vulnerability
Adobe is addressing a zero-day flaw in Flash Player being used by cybercriminals in email attacks targeting Internet Explorer users. News
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
Internet Explorer 8 XSS filter: Setting the bar for cross-site scripting prevention
The Internet Explorer 8 XSS filter can assist in cross-site scripting prevention. Michael Cobb explains how it works in this expert response. Answer
-
How to use OWASP Broken Web Apps to prevent vulnerabilities
OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps. Tip
-
Free Web application vulnerability scanners to secure your apps
Expert Michael Cobb points to several free Web application vulnerability scanners to help prevent SQL injection or XSS exploits. Answer
-
New GrayWolf tool sheds light on Microsoft .NET application security
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them. News
-
application blacklisting
Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabiliti... Definition
-
Cross-site scripting vulnerability discovered in Adobe Flash Player
Adobe issued an update Sunday repairing the Flash Player flaw in the wake of targeted email attacks attempting to exploit the flaw. News
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
- See More: All on Application Attacks (Buffer Overflows, Cross-Site Scripting)
About Application Attacks (Buffer Overflows, Cross-Site Scripting)
Hackers have moved away from the operating system and are now concentrating much of their efforts on applications. Get the best news and information on recognizing vulnerabilities and defending against Web application and Web 2.0 attacks and threats such as buffer overflows and cross site scripting, denial-of service (DOS) attacks and SQL injections.