XSS vulnerabilities (Cross-Site Scripting vulnerabilities) are often overshadowed by their big cousin, the infamous SQL Injection. This does not make them any less effective or deadly. XSS and SQL Injection attacks are similar in the way they inject malicious code. The difference is that an…
Improving Web Security by Working With What You’ve Got
As I wrote about in a previous post, we’re in the era of cutting back – if not completely eliminating – all non-essential expenditures. The thing is what may seem to be non-essential to management may actually be essential to the business. There could just be…
Explaining the “why” of Web application security
Looking at the bigger picture of application security it seems that no one else really hears us. Sure, product managers, marketing, legal, HR and even certain people in management say they understand what’s at stake. But are they really on board? Business leaders have learned…
"Time to market" no longer the security excuse
If you’ve heard it once you’ve probably heard it a thousand times: time to market is critical. Indeed, when it comes to software development, many business executives, marketers, product managers and sales weasels live and breathe by this mantra. Just get it out the door…
Preventing XSS Attacks
Cross Site Scripting (XSS) attacks are amongst the most common types of attacks against web applications. XSS vulnerabilities all fall under the same category, however, a more detailed look at the techniques employed during XSS attacks reveals a multitude of tactics that exploit a variety…
Getting employees on your side to improve Web security
We often hear about “disgruntled workers” wreaking havoc on computer systems and sensitive information. Interestingly we never hear about what I call “gruntled workers” and how they can — and do — contribute to enterprise security. Getting the attention of your employees and having them…
US Police Servers Breached in New Anonymous Attack
On the 31st of July 2011, the system administrator of Brooks-Jeffrey Marketing (BJM) was working on his newly upgraded servers. At exactly the same time a hacker was slowly sniffing his way through the same systems and picking up everything in his tracks. The hacker had rooted…
Anonymous hack US Department of Defence – Analysis of the Attack
On the 12th of July 2011, Booz Allen Hamilton the largest U.S. military defence contractor admitted that they had just suffered a very serious security breach, at the hands of hacktivist group AntiSec. Operation Anti-Security (AntiSec) is a hacking operation, carried out by two of the biggest…
Properly Scoping your Web Security Assessments
I’ve heard experts in time management say that one minute of planning can save you five minutes in execution. This applies to so many things we do in IT and information security but I can’t think of anything more important than security testing. Applying the…