Home
Topics
Application and Platform Security

The 2013 OWASP Top 10 list: What's changed and how t...

Expert Michael Cobb highlights the changes made in the 2013 OWASP Top 10 list, including new vulnerabilities and what they mean for enterprises.
Do two-factor authentication vulnerabilities outweig...

Two-factor authentication vulnerabilities are a real concern, but should they deter enterprises from deploying 2FA? Expert Michael Cobb discusses.
Opinion: Software [in]security -- software flaws in ...

Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.
RC4 attack details: Can the RC4 encryption algorithm...

Expert Michael Cobb provides background on the RC4 encryption algorithm and determines whether a recent RC4 attack signals trouble for SSL/TLS users.

Application and Platform Security

Secure SaaS: Cloud services and systems
Operating System Security
Enterprise Vulnerability Management
Virtualization Security Issues and Threats
Securing Productivity Applications
Software Development Methodology
Web Security Tools and Best Practices
Application Firewall Security
Application Attacks (Buffer Overflows, Cross-Site Scripting)
Database Security Management
Email Protection
Open Source Security Tools and Applications
Social media security

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Converting to cloud: Ranum Q&A with Lee Heath

Not down with Dropbox? Lee Heath embraced shadow IT and improved his company's data security practices in the process.Column
Gauging cloud forensics: Ten questions to ask cloud providers

Drawing from recent CSA guidance, expert Dave Shackleford lists key questions to ask cloud providers to determine their cloud forensics capabilities.Tip
Gauging cloud forensics: Ten questions to ask cloud providers

Drawing from recent CSA guidance, expert Dave Shackleford lists key questions to ask cloud providers to determine their cloud forensics capabilities.Tip
Gartner: Negotiate cloud contracts with detailed security, control

When negotiating with cloud providers, enterprises must demand cloud contracts with specific security and control provisions, Gartner analysts say.News | 14 Jun 2013
Can self-managed cloud security controls ease enterprise concerns?

Expert Dave Shackleford details how enterprises can increasingly manage their own cloud security controls with private virtual cloud offerings.Tip
Cloud API security risks: How to assess cloud service provider APIs

The CSA says cloud API security is a top threat to cloud environments. Expert Dave Shackleford explains how to assess the security of providers' APIs.Tip
CSA offers new initiatives to address SMB cloud security issues

In response to growing SMB cloud security issues, the Cloud Security Alliance announced a new working group and membership level focused on SMBs.News | 26 Apr 2013
Software security podcast library

SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discuss best practices in software security.Podcast
How to develop cloud applications based on Web app security lessons

Expert Dave Shackleford details how to build cloud applications based on typical Web app security flaws and cloud provider tools and platforms.Tip
Report suggests cloud security concerns are overblown

A study by Alert Logic downplays cloud security concerns when compared to traditional IT infrastructure, but indicates Web app attacks are a problem.News | 26 Mar 2013
VIEW MORE ON : Secure SaaS: Cloud services and systems

application whitelisting

Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources.Definition
Microsoft issues rushed patch for ASP.NET encryption flaw

Emergency patch repairs a vulnerability in the ASP.NET framework that causes faulty AES encryption implementations.Article | 28 Sep 2010
Microsoft to address critical vulnerability in Office Web Components

Microsoft will issue security updates for five critical vulnerabilities next week, including one that affects multiple software packages.Article | 06 Aug 2009

Armitage tutorial: How to use Armitage for vulnerability assessments

Video: In this Armitage tutorial, Keith Barker of CBT Nuggets shows how to use the Metasploit add-on to perform vulnerability assessments.Screencast
Users may remain vulnerable despite Oracle Java patch release

Oracle has issued a new security patch for Java, but only 7% deployed the patch before it.News | 18 Jun 2013
virtual patching

Virtual patching is the quick development and short-term implementation of a security policy meant to prevent an exploit from occurring as a result of a newly discovered vulnerability. A virtual patch is sometimes called a Web application firewall (WAF).Definition
Threat prevention techniques: Best practices for threat management

A successful threat management program requires effective processes, layered technology and user education.Feature
Readers' Choice Awards 2011

Readers vote on the best vulnerability management products, including network vulnerability assessment scanners, vulnerability risk management, reporting, remediation and compliance, patch management and vulnerability management lifecycle products.Guide
Black Hat 2011: Hacking technique targets Windows kernel errors

Researcher Tarjei Mandt uncovered dozens of hidden vulnerabilities deep inside Microsoft Windows.News | 26 Jul 2011
application blacklisting

Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabilities but also those that are deemed inappropriate within a given organization. Blacklisting is the method used by most antivirus programs, intrusion prevention/detection systems and spam filters.Definition
application whitelisting

Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources.Definition

Three hypervisor and virtual environment security concerns

Virtualization offers many benefits but also comes with plenty of risks. Keep these three things in mind when planning virtual environment security.Feature
Which hypervisor features provide the most virtual server security?

The advent of integrated hypervisor features, focused on security, is welcome news to many admins, but which ones provide the most benefit?Answer
Though OS-independent, thin hypervisors provide solid security

If you think smaller hypervisors are more vulnerable, think again. A thin hypervisor may be more secure than bare-metal versions.Answer
Virtual security tactics for Type 1 and Type 2 hypervisors

It's no surprise that Type 1 and Type 2 hypervisors require different security considerations, but we asked an expert to clarify.Answer
Evaluating network security virtualization products

Don't risk making mistakes when you evaluate network security virtualization products. Our six key points will keep you on track.Tip
Case Study: US supermarket chain solves security challenge virtually

A US supermarket chain has implemented an endpoint security system to secure legacy applications and to save additional developmentCase Study | 30 May 2013
The value of a virtual security gateway in the data center

Matthew Pascucci discusses virtual security gateway appliances and whether they are a virtual data center necessity or just an overhyped product.Answer
How to configure a VLAN to achieve the benefits of VLAN security

Expert Brad Casey explains how to configure a VLAN in order to achieve the benefits of VLAN security, including protection against insider attacks.Tip
Defending against watering hole attacks: Consider using a secure VM

Expert Nick Lewis analyzes the techniques employed by watering hole attacks and discusses how to use a secure VM to defend enterprises against them.Tip
Five Steps to Incident Management in a Virtualized Environment

Incident management (IM) is a necessary part of a security program. When effective, it mitigates business impact, identifies weaknesses in controls, and helps fine-tune response processes. Traditional IM approaches, however, are not always effective in a partially or completely virtualized data center. Consequently, some aspects of incident management and response processes require review and adjustment as an increasing number of critical systems move to virtual servers.Reference
VIEW MORE ON : Virtualization Security Issues and Threats

Why securing internal applications is as important as Web-facing apps

Securing internal applications requires the same due diligence as their Web-facing counterparts. Expert Michael Cobb explains why.Answer
How an Adobe Reader zero-day exploit escapes sandboxing capabilities

Expert Nick Lewis explains how a recent zero-day exploit escaped the Adobe Reader sandbox, and whether it's likely to happen again.Answer
Foxit Reader vulnerability: Time to find an alternative PDF reader?

Does the latest Foxit Reader vulnerability mean it's time to find an alternative PDF reader? Expert Nick Lewis offers his advice.Answer
How to reduce the risk of Flash security issues

A rash of zero-day exploits has one organization looking for ways to reduce the risk posed by Flash running on endpoints.Answer
Is Firefox PDF reader a secure alternative to Adobe Reader?

Expert Michael Cobb examines Mozilla’s Firefox PDF reader and discusses whether it is more secure than Adobe Reader.Answer
Using EMET to harden Windows XP and other legacy applications

Expert Michael Cobb details how using EMET, a free tool from Microsoft, can harden Windows XP and other legacy applications.Answer
Is Google Private Channel more secure than an enterprise app store?

Is the Google Private Channel a more secure option than building an internal enterprise app store? Expert Michael Cobb discusses.Answer
Combat Shockwave security issues with a Web security gateway

Expert Michael Cobb discusses Adobe Shockwave security issues highlighted by US-CERT, and details how a Web security gateway is one way to allay them.Answer
Software security podcast library

SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discuss best practices in software security.Podcast
The updated Makadocs malware: How to protect users locally

Security expert Nick Lewis details how the updated Makadocs malware uses Google Docs as a command and control server and offers mitigations for users.AtE
VIEW MORE ON : Securing Productivity Applications

Open source code management: How to safely use open source libraries

Expert Michael Cobb explains why enterprises need better open source code management to negate the security risks posed by open source libraries.Tip
Five major technology trends affecting software security assurance

Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.Opinion
Why securing internal applications is as important as Web-facing apps

Securing internal applications requires the same due diligence as their Web-facing counterparts. Expert Michael Cobb explains why.Answer
Secure code review process: How many review rounds are needed?

Expert Michael Cobb details how to argue for a multistep secure code review process like the Microsoft SDL, and the pros of secure coding practices.Answer
Application security risks posed by open source Java frameworks

Expert Michael Cobb says security issues with open source Java applications have more to do with misconfigurations than the frameworks themselves.Answer
The effects of secure application development practices

Selling the CIO and others on secure application development requires understanding how it will impact the development process.Answer
McGraw: Financial services develop a proactive posture

The idea behind proactive security is simple: build security in the first time by following security models like BSIMM and security engineering.Column
McGraw: Financial services develop a proactive posture
New skills for the QA tester: Scripting, security

Software quality assurance is gaining respect as a profession -- but do QA testers have the scripting and security skills the role now requires?Quality Time | 17 May 2013
At Adobe, secure software development program demands 'ninja' tactics

Video: Adobe CSO Brad Arkin explains how his firm fosters secure software development by inspiring developers to become security 'ninjas.'Video
VIEW MORE ON : Software Development Methodology

How to prevent SQL injection attacks by validating user input

Expert Michael Cobb discusses how to prevent SQL injection attacks by validating user input and utilizing parameterized stored procedures.Answer
Quiz: Choosing a Web security gateway

Check you're up to speed and ready to choose and deploy a Web security gateway. This five-question quiz will test you on the key points we've covered in the webcast, podcast and article in this Security School.Quiz
PDF download: Information Security magazine February 2012

Read about new antimalware strategies and readers' 2012 priorities in this issue of Information Security magazine.Magazine
Book chapter: Social media security policy best practices

The following is an excerpt from chapter 6 Gary Bahadur from the book Securing the clicks: Network security in the age of social media.Chapter Excerpt
Web application attacks: Building hardened apps

This security school lesson details the myriad of Web application attacks in circulation today, providing detailed explanations of SQL injection attacks, clickjacking, cross-site scripting and cross-site request forgery attacks and other Web-based attacks that lead right to sensitive information stored in a backend database. We’ll also explain how to begin assessing your production Web apps for dangerous flaws and how to architect a software development process that can help you counter these threats in both QA and production.partOfGuideSeries
Internet Explorer 8 XSS filter: Setting the bar for cross-site scripting prevention

The Internet Explorer 8 XSS filter can assist in cross-site scripting prevention. Michael Cobb explains how it works in this expert response.Answer
XML firewall security guide: Prevent XML vulnerabilities and threats

This section of the XML Web services Tutorial highlights the functions and capabilities of the XML firewall, how the features of an XML firewall compare to other firewalls, and offers advice on how to prevent XML vulnerabilities and stop XML attacks.Learning Guide
Mitigating Web 2.0 threats

As companies look to cut costs, Software as a Service has gained ground in the enterprise. Similarly, social networking sites like Facebook and LinkedIn are must-haves in today's workplace. David Sherry reviews how to secure these services and defend against a variety of Web 2.0 threats.partOfGuideSeries

Next-generation firewalls play by new rules EEL

We take a look at the key developments that define next-generation firewalls from application awareness to intrusion prevention techniques.ISM
Can application security products really be 'self-defending?'

Expert Michael Cobb determines whether 'self-defending' application security products actually provide something new to enterprise security.Answer
Evaluating next-generation firewalls

In this presentation, Joel Snyder discusses best practices for evaluating next-generation firewalls.Video
Next-generation firewalls: Must-have NGFW features

Gain insight to help you decide whether a next-generation firewall is right for you and how to make its deployment and management smooth and successful.security_school
In 2013, Cisco network security product strategy to key on integration

Video: Cisco SVP Chris Young details the vendor's 2013 network security product strategy, specifically combining more features into its line of ASA firewalls.Video
virtual patching

Virtual patching is the quick development and short-term implementation of a security policy meant to prevent an exploit from occurring as a result of a newly discovered vulnerability. A virtual patch is sometimes called a Web application firewall (WAF).Definition
Cloud IaaS security: Is a virtual firewall the best bet?

Matthew Pascucci discusses whether organizations should use an IaaS virtual firewall to protect applications that have been moved to the cloud.Answer
How a next-generation firewall prevents application-layer attacks

Next-generation firewalls can block common yet dangerous SQL-injection and buffer-overflow attacks. Learn how an NGFW stops application-layer attacks.Tip
Implement software development security best practices to support WAFs

WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why.Answer
Custom, targeted malware attacks demand new malware defense approach

Widespread use of custom malware in targeted attacks requires better attack preparation and response, and a variety of new malcode defenses.News | 16 Nov 2012
VIEW MORE ON : Application Firewall Security

How an Adobe Reader zero-day exploit escapes sandboxing capabilities

Expert Nick Lewis explains how a recent zero-day exploit escaped the Adobe Reader sandbox, and whether it's likely to happen again.Answer
Slideshow: Five common Web application vulnerabilities and mitigations

Expert Michael Cobb analyzes five common Web application vulnerabilities from the OWASP top 10 list and provides mitigations for enterprises.Slideshow
Security researcher finds vulnerabilities in emergency alert system

Seattle-based application security company IOActive has uncovered significant vulnerabilities in Digital Alert Systems' DASDEC.News | 09 Jul 2013
Report finds security tools add software vulnerabilities of their own

A report by iViZ Security Inc. found that overall vulnerabilities in security products in 2012 rose sharply.News | 31 May 2013
distributed denial-of-service attack (DDoS)

On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system.Definition
Five common Web application vulnerabilities and how to avoid them

Expert Michael Cobb details the five most common Web application vulnerabilities and provides methods to help enterprises to secure them.Tip
Website vulnerabilities down, but progress still needed, survey finds

A survey released by WhiteHat Security finds that website vulnerabilities have decreased steadily in recent years, though problems persist.News | 02 May 2013
How to prevent SQL injection attacks by validating user input

Expert Michael Cobb discusses how to prevent SQL injection attacks by validating user input and utilizing parameterized stored procedures.Answer
mobile app security

Mobile app security is the extent of protection that mobile device application programs (apps) have from malware and the activities of crackers and other criminals.Definition
pharma hack

The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress or Joomla documents, causing search engines, notably the one hosted by Google, to return ads for pharmaceutical products along with legitimate listings.Definition
VIEW MORE ON : Application Attacks (Buffer Overflows, Cross-Site Scripting)

Security School: Database security issues

Michael Cobb examines the top database security flaws and how to monitor database access to detect potential security incidents.Security School
MyDiamo

MyDiamo is database encryption software for MySQL that runs on virtually all platforms that MySQL supports, including Linux, UNIX and Windows. Definition
Privileged user management a must for DBAs

Trust, but verify. Ronald Reagan made it popular, and it's certainly relevant for DBAs in today's consolidated, virtualized IT world.Oracle Revelations | 15 May 2013
The Narilam malware: How to protect SQL databases, corporate records

Expert Nick Lewis explains how the Narilam malware infects SQL databases and destroys corporate records, and offers advice on mitigation.Answer
NoSQL security: Do NoSQL database security features stack up to RDBMS?

With NoSQL databases increasingly being used to tackle big data challenges, expert Michael Cobb examines NoSQL security in comparison to RDBMS.Tip
What to look for in full-packet-capture and network forensic tools

Matt Pascucci explains what to look for in full-packet-capture network logging and network forensic tools, and areas to focus on during the search.Answer
column-level encryption

Column-level encryption is a method of database encryption in which the information in every cell (or data field) in a particular column has the same password for access, reading, and writing purposes.Definition
MySQL security analysis: Mitigating MySQL zero-day flaws

In the wake of several recent MySQL zero-day vulnerabilities, expert Michael Cobb assesses the state of MySQL security. Is a MySQL alternative needed?Tip
Mitigations for an Oracle database authentication vulnerability

A patch for an Oracle database authentication vulnerability was only released for version 12. Expert Nick Lewis discusses mitigations for 11.1 users.Answer
Windows Server 2012 security: Is it time to upgrade?

Expert Michael Cobb wades through the security features of Windows Server 2012 to find out what's new and beneficial in Microsoft's latest release.Tip
VIEW MORE ON : Database Security Management

Improving enterprise email security: Systems and tips

Enterprise email security has become more vital than ever due to increased attacks and threats. This tip details systems that can improve protection.Tip
MoD plans secure email system based on TSCP specification

The Ministry of Defence is hoping a new, secure email system will improve its supply chain communication, but rollout is proving slow.Article | 17 Jan 2008

Security Onion tutorial: Analyze network traffic using Security Onion

Video: In this Security Onion tutorial, Keith Barker of CBT Nuggets shows how to analyze network traffic using Security Onion's many free features.Screencast
Open source code management: How to safely use open source libraries

Expert Michael Cobb explains why enterprises need better open source code management to negate the security risks posed by open source libraries.Tip
Armitage tutorial: How to use Armitage for vulnerability assessments

Video: In this Armitage tutorial, Keith Barker of CBT Nuggets shows how to use the Metasploit add-on to perform vulnerability assessments.Screencast
How to use ThreadFix to simplify the vulnerability management process

Video: Keith Barker of CBT Nuggets demonstrates how Denim Group's ThreadFix helps simplify the enterprise vulnerability management process.Screencast
Open source security tools: Getting more out of an IT security budget

Open source security tools can help stretch your IT security budget further -- that is, if you use them strategically. Joseph Granneman explains how.Answer
Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP

Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP.Screencast
Sourcefire's Roesch: How Snort can normalize JavaScript, model rules

Video: Snort creator Martin Roesch discusses new Snort features like JavaScript normalization and rule modeling, and looks ahead to Snort's future.Video
Use the Mandiant Redline memory analysis tool for threat assessments

Video: Keith Barker of CBT Nuggets shows how to use the Mandiant Redline memory analysis tool to conduct threat assessments, defeat rootkits.Video
How to utilize NDPMon for better IPv6 monitoring, network visibility

Video: Keith Barker of CBT Nuggets demonstrates NDPMon, a free, open source security tool that can improve IPv6 monitoring and network visibility.Screencast
ISM February 2003 Ranum
VIEW MORE ON : Open Source Security Tools and Applications

Gaging the security risk posed by the WordPress pingback vulnerability

Security expert Nick Lewis details the WordPress pingback vulnerability and advises whether it is time to update custom WordPress implementations.Answer
Avoiding pitfalls in social media compliance, security

Expert Mike Chapple offers regulatory compliance advice regarding the management of enterprise social media accounts.Answer
Trusteer warns of new man-in-the-browser Twitter attack

The attack seeks to compromise a Twitter webpage via a man-in-the-browser attack. Trusteer warns it could be a harbinger of broader future attacks.News | 24 Apr 2013
pharma hack

The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress or Joomla documents, causing search engines, notably the one hosted by Google, to return ads for pharmaceutical products along with legitimate listings.Definition
Safely using shortened URLs requires user education, technology

Expert Nick Lewis delves into the potential threat posed by shortened URLs and what enterprises can do to protect users from malicious short URLs.Answer
Mobile malware and social malware: Nipping new threats in the bud

Learn mobile and social media malware prevention tactics as contributor Lisa Phifer analyzes the malware risks of social media and mobile devices.Video
likebaiting

Likebaiting is the practice of trying to compel Facebook users to click the Like button associated with a piece of content. The practice is similar to linkbaiting, in which content producers craft content with the intent of getting people to link to it.Definition
Akonix Systems' Akonix A-Series Product Review
Instant Messaging: Symantec IM Manager 8.0
Instant Messaging: Akonix L7 Enterprise 4.0
VIEW MORE ON : Social media security

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

Application and Platform Security

Email Alerts

About This Topic

More from Related TechTarget Sites