Get started

Web application and API security best practices

• Web application firewall (WAF)

  A web application firewall (WAF) is a firewall that monitors, filters and blocks data packets as they travel to and from a website or web application. Continue Reading

• cryptographic nonce

  A nonce is a random or semi-random number that is generated for a specific use, typically related to cryptographic communication or information technology. Continue Reading

• How to manage application security best practices and risks

  The reality of application security risks requires software developers to be mindful of testing, tools and best practices to improve user experience and information security. Continue Reading

• distributed denial of service (DDoS) attack

  A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. Continue Reading

• SSL (Secure Sockets Layer)

  Secure Sockets Layer (SSL) is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. Continue Reading

• Definitions to Get Started

  • Web application firewall (WAF)
  • cryptographic nonce
  • distributed denial of service (DDoS) attack
  • SSL (Secure Sockets Layer)

  • pen test (penetration testing)
  • buffer overflow
  • malvertisement (malicious advertisement or malvertising)
  • content filtering (information filtering)

  View All Definitions

• pen test (penetration testing)

  Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.Continue Reading

• How to craft an effective DevSecOps process with your team

  Switching to a DevSecOps model in software development offers many benefits, but combining security and DevOps takes knowledge, forethought and planning.Continue Reading

• buffer overflow

  A buffer overflow occurs when a program attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Buffer overflow exploits may enable remote execution of malicious code or denial of service ...Continue Reading

• DevOps security requires new mindset and tools for visibility, automation

  Intuit did it. Etsy did it. Netflix did it. How fast moving companies are integrating security into the agile DevOps cycle for continuous deployment of software and services.Continue Reading

• DevSecOps: Security leaves the silos (and badges) behind

  Delays, "no" and "redo that work" causes many developers to avoid IT security. With DevOps, proponents aim to make security at scale everybody's problem.Continue Reading

• How to address key SSL security issues and vulnerabilities

  As SSL technology evolves and changes, new vulnerabilities begin to cause problems. Expert Rob Shapland explains how security professionals can overcome these SSL security issues.Continue Reading

• Can opportunistic encryption improve browser security?

  Opportunistic encryption offers encryption for servers that don't support HTTPS. Expert Michael Cobb explains how it works and how it can help Web security.Continue Reading

• Comparing the best Web application firewalls in the industry

  Expert Brad Causey compares the best Web application firewalls on the market across three types of product types: cloud, integrated and appliance.Continue Reading

• Introduction to Web fraud detection systems

  Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce.Continue Reading

• Can a walled garden approach help secure Web browsers?

  While a walled garden can help secure Web browsers, they are not seen as beneficial by all. Expert Michael Cobb explains why.Continue Reading

• Email security gateways vs. Web security gateways: Do you need both?

  When replacing an email security gateway, should a Web security gateway be used or another email gateway? Expert Kevin Beaver explains.Continue Reading

• Can a read-only domain controller maximize DMZ security?

  Are read-only domain controllers a more secure option for setting up domain services in a DMZ than using a separate domain? Expert Kevin Beaver explains.Continue Reading

• Bloom cookies: Privacy without prohibiting Web personalization?

  While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help enhance privacy while maintaining personalization.Continue Reading

• How can we detect and uninstall bloatware?

  Unwanted preinstalled software -- also known as bloatware -- has made its way onto PCs and mobile devices alike. Expert Nick Lewis explains how to detect and uninstall the potential threat.Continue Reading

• Browser and device fingerprinting: Undeletable cookies of the future?

  Browser and device fingerprinting create cookies that users cannot prevent nor delete. Expert Michael Cobb explains how to address the threat.Continue Reading

• Can the Wyvern programming language improve Web app security?

  A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb discusses.Continue Reading

• Can public key pinning improve Mozilla Firefox security?

  Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains how it works and its benefits.Continue Reading

• What is the best super-sized cookie denial-of-service attack defense?

  Super-sized cookies are behind an innovative new denial-of-service attack. Enterprise threats expert Nick Lewis discusses how to prevent these cookies from getting onto your network.Continue Reading

• Four questions to ask before buying a Web application firewall

  Web application firewalls are complex products. Expert Brad Causey explains the key criteria enterprises need to consider before investing in a WAF product.Continue Reading

• Business-use scenarios for a Web application firewall deployment

  Web application firewalls can be a critical security layer for many companies. Expert Brad Causey explains when and how to deploy a WAF in the enterprise.Continue Reading

• Achieve converged security with a secure Web gateway

  While you may have never heard of a secure Web gateway, it may be the Swiss army knife of converged security your enterprise needs.Continue Reading

• Secure Web gateway evaluation: Ten questions enterprises must ask

  The benefits of a secure Web gateway are aplenty, but is the technology a fit for your enterprise? Answer these questions to decide.Continue Reading

• Four deployment options for secure Web gateways

  Before you install a secure Web gateway, it is critical to understand which of four deployment options would best meet your enterprise's needs.Continue Reading

• Secure Web gateways, from evaluation to sealed deal

  Get help evaluating a secure Web gateway for your enterprise as you learn what it is, its multiple features, deployment options and more.Continue Reading

• API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.Continue Reading

• How sandboxes benefit network protection and malware defense

  Nick Lewis discusses the concept of sandboxing and how vendors are using network appliance sandboxes to boost network protection and malware defense.Continue Reading

• Mitigating the enterprise risks posed by PHP SuperGlobal variables

  Learn the risks PHP SuperGlobal variables present to PHP applications and how to mitigate them in an enterprise environment.Continue Reading

• HealthCare.gov security issues: Lessons learned for enterprises

  Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.Continue Reading

• API security: How to ensure secure API use in the enterprise

  API security is a growing enterprise concern. In the wake of recent high-profile breaches, discover how to alleviate the issues of insecure APIs.Continue Reading

• HSTS: How HTTP Strict Transport Security enhances application security

  Many websites are using HTTP Strict Transport Security (HSTS) to enhance application security, but is it really more effective than HTTPS?Continue Reading

• How Google Chrome Canary improves malware defense, prevents infection

  The forthcoming Google Chrome Canary browser boasts the ability to boost malware defense and prevent malware infection. Michael Cobb explains how.Continue Reading

• Get back to basics for improved network security

  If your post-mortem meetings are anything like mine, forget the bells and whistles and revisit security best practices.Continue Reading

• W3af tutorial: How to use w3af for a Web application security scan

  In this screencast video, Keith Barker of CBT Nuggets offers a tutorial on how to perform a thorough Web application security scan using w3af.Continue Reading

• CMS security recommendations for Drupal and WordPress

  Application security expert Michael Cobb offers advice on how to secure content management systems like WordPress and Drupal.Continue Reading

• The value of 2,048-bit encryption: Why encryption key length matters

  Leading browsers are required to use 2,048-bit length keys by the end of the year, but what effect does this have on security?Continue Reading

• How certificate pinning improves certificate authority security

  Certificate pinning reduces reliance on trusting certificates authorities and improves digital certificate trustworthiness. Michael Cobb explains how.Continue Reading

• Malware defense revisited: How to improve Web-based malware detection

  Signature-based AV doesn't stop Web-based malware, but what does? Spyro Malaspinas points out what's next in enterprise malware detection technology.Continue Reading

• An introduction to Web application threat modeling

  Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing.Continue Reading

• Antimalware software introduction: Business benefits and drawbacks

  Mike Rothman discusses how antimalware software has evolved to develop various business and technology issues, but also still holds many benefits.Continue Reading

• malvertisement (malicious advertisement or malvertising)

  A malvertisement (malicious advertisement) is an advertisement on the Internet that is capable of infecting the viewer's computer with malware.Continue Reading

• XML encryption and WS-Security tutorial: Essential elements of Web services security

  WS-Security and XML encryption are two essential elements of Web services security. In this XML encryption and WS-Security tutorial, which is a part of the SearchSecurity.com XML Web services tutorial, learn more about the security threats and ...Continue Reading

• content filtering (information filtering)

  On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable.Continue Reading

• metamorphic and polymorphic malware

  Metamorphic and polymorphic malware are two categories of malicious programs that have the ability to change their code as they propagate.Continue Reading

• National Computer Security Center (NCSC)

  The National Computer Security Center (NCSC) is a U.S. government organization within the National Security Agency (NSA) that evaluates computing equipment for high security applications to ensure that facilities processing classified or other ...Continue Reading

• Web application attacks security guide: Preventing attacks and flaws

  This Web application attacks guide explains how Web application attacks occur, identifies Web application attack types, and provides Web application security tools and tactics to protect against them.Continue Reading

• JavaScript hijacking

  JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML)... (Continued)Continue Reading

• cookie poisoning

  On the Web, cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft.Continue Reading

• cache cramming

  Cache cramming is a method of tricking a computer into running Java code it would not ordinarily run.Continue Reading

• greynet (or graynet)

  Greynet is a term for the use of unauthorized applications on a corporate network. A greynet application is a network-based program that corporate network users download and install without permission from their company's IT department.Continue Reading

• LUHN formula (modulus 10)

  The LUHN formula, also called modulus 10, is a simple algorithm used to validate the number on a credit card.Continue Reading

• XML Web services tutorial: How to improve security in Web services

  Securing XML is an essential element in keeping Web services secure. This SearchSecurity.com Learning Guide is a compilation of resources that review different types of XML security standards and approaches for keeping your XML Web services secure.Continue Reading

• anonymous Web surfing (Web anonymizer, SafeWeb)

  Anonymous Web surfing allows a user to visit Web sites without allowing anyone to gather information about which sites the user visited.Continue Reading

• threat modeling

  Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system...Continue Reading

• dictionary attack

  A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an ...Continue Reading

• Web filter

  A Web filter is a program that can screen an incoming Web page to determine whether some or all of it should not be displayed to the user.Continue Reading

• trigraph

  A trigraph is a three-character replacement for a special or nonstandard character in a text file.Continue Reading

• vandal

  A vandal is an executable file, usually an applet or an ActiveX control, associated with a Web page that is designed to be harmful, malicious, or at the very least inconvenient to the user.Continue Reading