Securing FTP Running on Your Web Server

I’ve had several questions from clients recently on how they can to secure FTP running on their web servers. The easy and short-sighted response would be “Are you nuts? You need to run FTP on a dedicated server!” However, looking at it from a business perspective considering things like money, politics, business process and third-party […]

Read More →

Good Web Security Tools and Why They Matter

Like chemists, carpenters and doctors, those of us working in IT need good tools if we’re expected to do a good job. When dealing with application security, good security testing tools will always set the professionals apart from the amateurs. In fact, the quality of your tools for performing a site security audit will have […]

Read More →

Why You Need Intruder Lockout

It’s a very predictable web security flaw — in fact, it’s something I find in the majority of my web security assessments: the lack of intruder lockout on login pages. I know, with all the SQL injection and cross-site scripting present on the web, the lack of intruder lockout on web login pages seems a […]

Read More →

Don’t Forget Your Marketing Website Security

I recently read about a marketing agency that experienced a security breach and subsequent defacement of its customers’ websites. Apparently their developers had misconfigured the web server and unknowingly gave the whole world access to change any and all content at will. What interested me the most was the fact that out of the hundreds […]

Read More →

Why people violate security policies

Many organizations have a formal set of information security policies covering everything from acceptable internet usage to security in software development to web application security. In fact, it’s hard to come across a business today that doesn’t have at least a policy or two in place. That’s fine and dandy but it’s not the existence […]

Read More →

VIDEO: How Cross-Site Scripting (XSS) Works

XSS vulnerabilities (Cross-Site Scripting vulnerabilities) are often overshadowed by their big cousin, the infamous SQL Injection. This does not make them any less effective or deadly. XSS and SQL Injection attacks are similar in the way they inject malicious code. The difference is that an SQL attack, injects code into the target database whereas an […]

Read More →