The One Web Security Testing Oversight You Don't Want to Miss

The One Web Security Testing Oversight You Don't Want to Miss

As I’ve written about scoping your Web security tests in the past, it’s not something to be taken lightly. Interestingly, there’s one aspect of Web security testing where I’m still seeing a big disconnect. The issue is how many critical … [+]

HTTP Parameter Pollution - a Newer Class of Injection Attack

HTTP Parameter Pollution – a Newer Class of Injection Attack

Nowadays, many components from web applications are commonly run on the user’s computer (such as JavaScript), and not just on the application’s provider server (such as Servlets). As time goes by, there is the need for web applications to provide … [+]

There’s More to Web Security than Meets the Eye

There’s More to Web Security than Meets the Eye

When we talk about Web security, we typically think about the common OWASP-type elements: SQL injection, cross-site scripting, passwords, encryption and the like. That’s fine but those areas can’t be our only focus. There’s so much more to managing information … [+]

To Validate or Not, Is That the Question?

To Validate or Not, Is That the Question?

Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual … [+]

The critical Web-based systems that are going untested and unsecured

The critical Web-based systems that are going untested and unsecured

I recently participated in a webinar aimed at helping physical security professionals, corporate security managers and others responsible for both physical and logical security. This is an area of security that doesn’t get near the attention it deserves – especially … [+]

Securing FTP Running on Your Web Server

Securing FTP Running on Your Web Server

I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking … [+]

Good Web Security Tools and Why They Matter

Good Web Security Tools and Why They Matter

Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. … [+]

Don't Forget Your Marketing Website Security

Don't Forget Your Marketing Website Security

I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the web server and unknowingly gave the whole world access to change any and all content … [+]

Why people violate security policies

Why people violate security policies

Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to web application security. In fact, it’s hard to come across a business today that doesn’t have at least … [+]