VIDEO: SQL Injection tutorial

SQL Injection is perhaps one of the most common application layer attack techniques used today, mainly used by malicious users to steal data from organizations. It is a type of attack that takes advantage of improper coding of your web applications that allows a malicious user to inject SQL commands into a form on your […]

Read More →

Properly Scoping your Web Security Assessments

I’ve heard experts in time management say that one minute of planning can save you five minutes in execution. This applies to so many things we do in IT and information security but I can’t think of anything more important than security testing. Applying the 80/20 rule to this scenario, the first 20 percent of […]

Read More →

How Much Web Security is Enough?

A good web application security environment is one that balances security with convenience. Nothing more and nothing less; just the security that’s needed to keep things reasonably in check. But just how much is enough?  All too often I see websites and applications with too little security while others have too much – namely “security […]

Read More →

The Cure for Many Web Application Security Ills

One of the things I’ve learned throughout my career is that many solutions to the problems we face in IT, security and software development can be solved if we simply turn to business leaders to see how it’s done. In particular, I’m talking about a practice called zero-based thinking. A tool that’s been around for […]

Read More →

The Rise of Backdoored WordPress Plugins

It all started a few months ago when I was visiting Lester Chan’s website looking for some information about one of his plugins. Lester Chan has written a good number of very popular WordPress plugins that are used by millions of people. Some of the most popular ones are WP-PageNavi, WP-DBManager, WP-PostRatings, WP-Polls and WP-PostViews. While […]

Read More →

Going Beyond Confirmed Web Security Flaws

As I wrote in my previous post about low-hanging fruit and the 2011 Verizon Data Breach Report, I’m a strong believer in finding out where your Web systems are bleeding and focusing on those issues first. It’s the basic principle of triage – finding, and fixing, the urgent issues on the important systems. The thing […]

Read More →

Barracuda Networks Breached

Introduction On April 11th 2011, at nine in the evening, Barracuda Networks posted a grim entry on their blog. Their network had been hacked. Thousands of their confidential customer and employee records were stolen. In an ironic twist of fate, the company that advocates security through it’s own Web Application Firewall were victims to the […]

Read More →