| OWASP |
03-12-2010 20:11 Multiple DOM-Based XSS in Dojo Toolkit SDK We released an advisory today to Bugtraq regarding a DOM-Based XSS bug I found in the Dojo Toolkit SDK 1.4.1 and earlier versions. The Dojo team was informed on February 19, 2010 and released the fix today along with some other security bugs. If you want some more information on this bug as well as the other bugs that were fixed, see their security bulletin. The files identified with the XSS issues are primarily designed for testing; however a quick Google search will identify numerous >> I’m not a developer any more so I find it difficult to update the experiments I’ve been working on but I managed today to upload the work I’ve done with JSReg and update Hackvertor. They are both integrated closely together because Hackvertor allows untrusted Javascript using JSReg. The recent upgrade to JSReg allowed me to upload the Hackvertor changes I did a while ago, it is now very nice and easy to share code between users. At the moment registration is disabled but I plan t >> Jim Manico has produced another great addition to his OWASP podcast canon, the latest discussion is with Richard Bejtlich. Jim is very good as an interviewer which means the questions are all meat and potatoes on in the trenches issues. One of the main points that Richard makes that is lost on many security programs is how to take information security concerns and then communicate them to the business. How do you talk about security to people (i.e. business) that could care less abou >> It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens: The technique, found by Lava Kuppan describes a scenario where a m >> by Christian Moldes In Outliers, Malcom Gladwell analyses how plane crashes are the result of a combination of errors. I found this analysis very interesting because of the similarity with most security breaches. A brief excerpt of his book: “Plane crashes rarely happen in real life the same way they happen in the movies. Some engine part does not explode in a fiery bang. The rudder doesn’t suddenly snap under the force of takeoff. The cap >> Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers.… >>theregister 03-09-2010 16:43 On the Risk of Overfocusing on Seductive Details Learning about security means understanding types of risk, and investors, specifically value investors, have a long demonstrated track record of framing ways to think about asset protection and making it actionable. Recently I've been reading James Montier, very impressed with his approach which is based on a pretty rigid process and objective checklists, here is an excerpt from a recent interview: Miguel: Let’s talk about the concept of seductive details…can y >> I just saw Sergey Bratus’s talk at TROOPERS 10. He’s an interesting guy, and his talk was good. He’s a CS professor at Dartmouth, and he’s actually making an effort, on behalf of the academic community, to inject some genuine security clue into the education of CS students. He obviously has a tough topic to address, but he looks like he’s on the right track to me. One thing he pointed out is that a lot of vulnerabilities over the years have actually resulted from the accident >> |
My appearance on OWASP Podcast 61 is available. 
As most of the readers on my blog would be knowing, the Security experts in February launched a new effort to ensure software is written from the ground up with security in mind -- a philosophy and message they're aiming at people outside of the security industry. 
|
[1] 2 3 4 5 ... | 
|
