Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had…
The critical Web-based systems that are going untested and unsecured
I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is an area of security that doesn’t get near the attention it deserves – especially when it comes to the…
Securing FTP Running on Your Web Server
I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business…
Good Web Security Tools and Why They Matter
Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. In fact, the quality of…
Why You Need Intruder Lockout
It’s a very predictable web security flaw — in fact, it’s something I find in the majority of my web security assessments: the lack of intruder lockout on login pages. I know, with all the SQL injection and cross-site scripting present on the web, the…
Don’t Forget Your Marketing Website Security
I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the web server and unknowingly gave the whole world access to change any and all content at will. What interested me…
Why people violate security policies
Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to web application security. In fact, it’s hard to come across a business today that doesn’t have at least a policy or two in…
Not All Web Vulnerability Scans Are Created Equal
Recently a client of mine sent over the results of a web vulnerability scan that one of their customers had run against their production web environment. My client was curious why the results of this third-party scan were different from my findings just a few…
Common Website Security Flaws and What They Mean
Having a successful online presence is hard enough. Throwing some website security-related terms into the mix makes it all the more difficult, especially if you’re not a technical person or computer security guru. Although some folks in IT intentionally make web vulnerabilities difficult to understand…