It’s that time of year for us to get inundated with all those Top 10 lists to help us achieve this, prevent that and so on. Those lists are valuable indeed, especially if you need some motivation to get your year started off on the…
Author Archives Kevin Beaver
THE AUTHOR
Kevin Beaver
Which scan policy should you use to find everything that matters?
If only Web application security were black and white. We could simply load our scanner without thinking anything through, enter the URL, click Scan, generate a report of issues for someone else to address and be done with it. Sadly I think some people do…
Notable changes in PCI DSS 2.0 affecting Web application security
“Clarification, additional guidance, and evolving requirements” – welcome to the new PCI standards! Hot off the press are the new PCI DSS and PA-DSS requirements which take effect January 1, 2011. So, if you work in or around Web application security, it’ll behoove you to…
Application Security; Don’t get caught off guard with dangerous assumptions
Don’t get caught off guard. We hear that statement all the time with regards to information security. Sadly, as many businesses have experienced, such talk is cheap. Obviously no one wants their Web site to get hacked. Okay, maybe a few admins or developers who…
Preventing phishing attacks is not just a technical issue
A client of mine who’s a security administrator for a business in the financial industry contacted me recently about some odd behavior he was seeing on his network. Apparently numerous spidering/mirroring requests were being sent to his company’s marketing website from a foreign country –…
Four skills that will make you a better Web security professional
People who are at the top of their games such as Formula One engineers, neurosurgeons, stunt pilots and so on have one thing in common: they all have finely-tuned technical skills. This is not just specific knowledge of what they do but knowledge about many…
Why all the hoopla over the Twitter onMouseOver flaw?
The recent publicity and ranting about Twitter’s onMouseOver flaw* got me thinking about our perception of software quality and expectations of risk. Why is there no room for error when Twitter makes a mistake yet we put up with so many bigger – and more…
Why do so many people buy into "checklist" audits?
Probably my biggest pet peeve related to application security is the claim by many (typically management) that “We know we’re secure, we just had an audit”. I can’t tell you how many times I’ve seen this situation. Management will require their administrators to go down…
Ways to avoid email floods when running Web vulnerability scans
If you’ve ever ran a Web vulnerability scan you’ve likely experienced this situation. You fire up your scanner, tweak your settings, and click Start. The next thing you know people in customer service, marketing, IT, etc. are wondering why they’re getting hit with hundreds –…