Researcher reveals design flaws in Sophos AV engine

Researcher reveals design flaws in Sophos AV engine

A researcher says poor Sophos software security leaves many open doors, notably cryptographic and attack-mitigation weaknesses in Sophos’ AV engine.
MORE HIGHLIGHTS

Oracle won’t patch zero-day in TNS listener

Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.”
Google increases bug reward to $20,000

Google increased the reward for a code execution bug to $20,000. Microsoft remains against a bug bounty.
Automated tools fail to detect application logic flaws

Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly applicatio...

Security Testing and Ethical Hacking

Essential Knowledge
News
Tips
Expert Advice
Definitions
Multimedia
All

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Information security book excerpts and reviews

Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
The Art of Software Security Testing

Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats. chapter excerpt
Quiz: What's your infosec IQ?

Test your information security IQ with this short quiz. Security Quiz
PING with Jennifer Granick

PING with Jennifer Granick from the October 2005 issue of Information Security magazine. Information Security maga
Top tools for testing your online security

Learn a structured approach for Web security that can make your security management tasks easier and increase your chances of success. Security School
Top tools for testing your online security, part 2

Michael Cobb explains what tools are helpful in maintaining Web security, including security scanners, benchmarking tools, monitoring services and online resources. Security School
The Controversy of Hacking Books and Classes

Read this excerpt and download Chapter 1, Ethics of Ethical Hacking from Shon Harris' Gray Hat Hacking. Book Chapter

Oracle won’t patch four-year-old zero-day in TNS listener

Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.” News | 01 May 2012
Google Vulnerability Reward Program increases, Microsoft unfazed

Google increased the reward for a code execution bug to $20,000. Microsoft remains against a bug bounty. News | 24 Apr 2012
Hunting for application logic flaws requires people, expert says

Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws. News | 10 Apr 2012
Expert advocates for more effective pen tests, less complex security

A security expert warns organizations against buying the latest and greatest security technology and advocates for more effective pen testing at InfoSec World Conference and Expo 2012. News | 02 Apr 2012
Longstanding network security problems plague enterprises, Trustwave finds

While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked. News | 07 Feb 2012
Nothing funny about SCADA and ICS security

A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News | 06 Feb 2012
Adobe makes pitch for defensive security research to cripple exploit writing

Adobe security and privacy director Brad Arkin urges the security industry to develop technologies that make exploit writing costly. News | 03 Feb 2012
Sophos software design, implementation critically flawed, says researcher

A researcher says poor Sophos software security leaves many open doors, notably cryptographic and attack-mitigation weaknesses in Sophos’ AV engine. News | 04 Aug 2011
Chromebook security in question due to flawed Google Chrome extensions

Cross-site scripting flaws enable security researchers to bypass Chromebook security and silently steal sensitive data by hijacking browser sessions. News | 03 Aug 2011
Security lab, pen testing key to proactive, creative cybersecurity

IT officers at different federal agencies recommend giving "the nerds, the geeks, and the young people" a chance to pen test systems. News | 04 May 2011
See More: News on Security Testing and Ethical Hacking

NMAP NSE tutorial: Network asset and vulnerability identification

In this screencast, expert Mike McLaughlin offers an NMAP NSE tutorial for enterprise network asset and vulnerability identification. Tip
How to use OWASP Broken Web Apps to prevent vulnerabilities

OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps. Tip
An inside look into OWASP’s Mantra tool

OWASP’s Mantra tool is being praised by security pro’s for its abundance of options and ease of use. In this screencast, Mike McLaughlin takes a look at what Mantra has to offer. Tip
WebScarab tutorial: Demonstration of WebScarab proxy functionalities

In this WebScarab tutorial video, get step-by-step advice on how to install and use this free tool, including the WebScarab proxy features, among others. Tip
Netcat tutorial: How to use the free Netcat command-line tool

Helpful for penetration testers and network admins who need to debug infected systems, the netcat command-line tool boasts many free features for enterprise use. Tip
XSSer demo: How to use open source penetration testing tools

In this video demo, learn how to use XSSer, open source penetration testing tools for detecting various Web application flaws and exploiting cross-site scripting (XSS) vulnerabilities against applications. Tip
How to use NeXpose: Free enterprise vulnerability management tools

Learn how to use NeXpose Community Edition, a free collection of vulnerability management tools that offers pre-defined scan templates, and the ability to scan networks, OSes, desktops and databases. Tip
Netsparker: Free Web app security testing tool

Testing Web applications is critical for maintaining a secure enterprise network. Learn how to use the community version of Netsparker for free Web app security testing capabilities. Tip
Detect rootkit alternate data streams (ADS) with StreamArmor

In this month's screencast, Peter Giannoulis of TheAcademyPro.com explains how to use StreamArmor, a new tool that can detect alternate data streams that may be hiding rootkit data. Tip
How to use hping to craft packets

A packet crafting tool that's been around for a long time, hping can be used to test if ports are open, as well as for firewall testing. Learn how to use hping in this tutorial. Tip
See More: Tips on Security Testing and Ethical Hacking

How penetration testing helps ensure a secure data store

A third-party penetration test is the best way to determine whether an online data store can be compromised. Answer
Securing applications with a network pen test

Network penetration testing can help protect applications by uncovering weaknesses that provide an alternate route to sensitive data. Answer
Software testing methodologies: Dynamic versus static application security testing

Learn about two software security testing methodologies – dynamic and static testing – in this expert response by Michael Cobb. Answer
Can threat modeling tools help with securing mobile applications?

When developing enterprise applications, do you know the quickest way to bridge the gap between an information security team and a development group? Answer
Using virtual test labs for virtual software testing

Do you know of virtualization that reduces your investment in hardware, space and general overhead? Virtual test labs can do just that. Expert Michael Cobb explains virtual software testing and how it can benefit your enterprise. Answer
Seeking an ethical hacking career: How to learn ethical hacking

In this expert response, Nick Lewis explains what an ethical hacker is and what skills such a hacker needs to be successful and compliant with the law. Ask the Expert
Static source code analysis tools: Pros and cons

Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why. Ask the Expert
Penetration test methodology: Creating a network pen testing agreement

Network pen testing can be very useful when it comes to detecting vulnerabilities, but it's important to work with the IT department to prevent network downtime. In this expert response, learn how to draw up pen testing rules of engagement for greate... Ask the Expert
Using fuzzing for internal application security testing

Superstar security researchers often use fuzzing to find flaws in major vendors' applications, and you can use fuzzers to find vulnerabilities during internal software development. Expert Michael Cobb explains how. Ask the Expert
Test a security architecture design without an IT security consultancy

While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it without spending the money. Ask the Expert
See More: Expert Advice on Security Testing and Ethical Hacking

MIEL e-Security

MIEL e-Security is a Mumbai-based organization that provides information security services and solutions to organizations worldwide. Definition
white hat

White hat describes a hacker (or, if you prefer, cracker) who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system's owners to fix th... Definition
war dialer

A war dialer is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Definition
gray hat (or grey hat)

Gray hat describes a cracker (or, if you prefer, hacker) who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners. Definition
ethical hacker

An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. Definition
Cyber Storm

Cyber Storm is the name of a simulated attack exercise conducted by the U.S. Department of Homeland Security (DHS) February 6-10, 2006 to evaluate whether or not the country could withstand a real attack of similar magnitude... Definition
honey pot (honeypot)

A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Definition
honeynet

A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. Definition
ethical worm

An ethical worm is a program that automates network-based distribution of security patches for known vulnerabilities. Definition

Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard

Katie Moussouris discusses coordinated vulnerability disclosure, the Microsoft Blue Hat Prize and developing an ISO vulnerability disclosure standard. Video
Jose Granado on the benefits of penetration testing, ‘human hacking’

Ernst & Young’s Jose Granado discusses the benefits of penetration testing and the importance of including “human hacking” as well. Video
Dan Guido on teaching penetration testing courses; intrusion analysis

The iSec Partners consultant talks about his penetration testing courses at NYU, his research on intrusion analysis and rethinking intrusion defense. Video
Adobe: Bug reporting and the sandbox

Brad Arkin talks about Adobe's policy on "bug bounties" and why it's decided to play in a "sandbox." Video
Metasploit and software vulnerability testing

Metasploit is a free tool that can be used to pen test for new and potentially damaging vulnerabilites. In this interview, H.D. Moore, creator of Metasploit, explains how the tool works and what it can contribute to software security. Video
How to perform Microsoft Baseline Security Analyzer (MBSA) scans

This month, Peter Giannoulis of TheAcademyPro.com and TheAcademyHome.com offers an overview of the free Microsoft Baseline Security Analyzer. Video
L0phtCrack returns

Security expert Chris Wysopal explains why the L0phtCrack password cracking tool was unveiled once again after Symantec discontinued sales of L0phtCrack in 2006. Video

Oracle won’t patch four-year-old zero-day in TNS listener

Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.” News
Google Vulnerability Reward Program increases, Microsoft unfazed

Google increased the reward for a code execution bug to $20,000. Microsoft remains against a bug bounty. News
Hunting for application logic flaws requires people, expert says

Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws. News
Expert advocates for more effective pen tests, less complex security

A security expert warns organizations against buying the latest and greatest security technology and advocates for more effective pen testing at InfoSec World Conference and Expo 2012. News
Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard

Katie Moussouris discusses coordinated vulnerability disclosure, the Microsoft Blue Hat Prize and developing an ISO vulnerability disclosure standard. Video
Longstanding network security problems plague enterprises, Trustwave finds

While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked. News
Nothing funny about SCADA and ICS security

A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News
Adobe makes pitch for defensive security research to cripple exploit writing

Adobe security and privacy director Brad Arkin urges the security industry to develop technologies that make exploit writing costly. News
How penetration testing helps ensure a secure data store

A third-party penetration test is the best way to determine whether an online data store can be compromised. Answer
Securing applications with a network pen test

Network penetration testing can help protect applications by uncovering weaknesses that provide an alternate route to sensitive data. Answer
See More: All on Security Testing and Ethical Hacking

About Security Testing and Ethical Hacking

In this security testing and ethical hacking guide, you will get info on how to assess the security of your network with penetration testing and ethical hacking tools and software, ethical hacker training and certifications.

Latest Headlines

Featured

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

MORE HIGHLIGHTS

Security Testing and Ethical Hacking

Email Alerts

About Security Testing and Ethical Hacking

More from Related TechTarget Sites