tag:blogger.com,1999:blog-17906156.comments2023-11-22T03:47:03.321-05:00Writing Secure SoftwareUnknownnoreply@blogger.comBlogger32125tag:blogger.com,1999:blog-17906156.post-61222332827405849932011-05-19T19:01:49.706-04:002011-05-19T19:01:49.706-04:00Info in your blog help me with my project, whitch ...Info in your blog help me with my project, whitch based on <a href="http://stavki.com/rossijskie-bukmekerskie-kontory.html" rel="nofollow">букмекеры</a> Thank U very much!Vichttps://www.blogger.com/profile/05462990034155650066noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-41519104023585716652011-05-12T08:43:35.507-04:002011-05-12T08:43:35.507-04:00I doubt that the "don't use strings for p...I doubt that the "don't use strings for passwords" rule can be used for servlets, especially JSF-based servlets, because strings are used internally to pass the input to the backing bean.Tilman Hausherrhttps://www.blogger.com/profile/05836776008948503388noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-44952707827124611952011-02-08T19:48:04.773-05:002011-02-08T19:48:04.773-05:00I removed the reference to iframe sandboxing for r...I removed the reference to iframe sandboxing for remediation for XFS click-jacking. I agree that HTML 5 sandboxing can render existing XFS countermeasures like frame busting useless, and this should be captured as part of coding standards practice when coding with iframe sandboxing. That being said, I do not believe fixing click-jacking or cross frame scripting vulnerability is HTML 5 task rather should be the browser's vendor task to make browser capable to enforce the SOP (Single Orgin Policy) that is cross frame scripting root cause. As you indicated you can use X-FRAME-OPTIONS, available for IE 8 browser to mitigate clickjacing attacks for Mozilla and other browsers you can use the NoScript plugin.trustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-79238257852877895472011-02-08T19:41:02.988-05:002011-02-08T19:41:02.988-05:00This comment has been removed by the author.trustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-58791867422430179562011-02-08T19:37:47.191-05:002011-02-08T19:37:47.191-05:00This comment has been removed by the author.trustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-29937512582294180902011-02-08T18:58:15.874-05:002011-02-08T18:58:15.874-05:00This comment has been removed by the author.trustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-55819726568333885812011-02-08T11:37:50.715-05:002011-02-08T11:37:50.715-05:00Actually, sandbox is worse than just disabling JS,...Actually, sandbox is worse than just disabling JS, which could have several side effects for the framed site. With sandbox="enable-scripts" you can enable JS but disable top.location assignment, and that will alter the framebusting code ONLY.<br /><br />There are, as you mentioned, a few existing counter JS framebusting techniques, iframe sandbox just tops them all, because it will be the easiest and most elegant one. For example - it does not require a confirmation from user like the onbeforeunload technique.<br /><br />Sandbox is good against same-domain XSS, phishing attacks and securely including 3rd party code (think - ads), but for clickjacking alone it makes things worse.Anonymoushttps://www.blogger.com/profile/11516786094492717236noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-84782505168147154822011-02-07T21:48:39.550-05:002011-02-07T21:48:39.550-05:00Krzysztof you are correct that sandboxing basicall...Krzysztof you are correct that sandboxing basically disable JS on the frame and renders the frame busting off technique usless. The frame busting off technique is actually not fool proof as there are several ways to break it see http://seclab.stanford.edu/websec/framebusting/framebust.pdf<br />Nevertheless I thought that that sandbox attribute could control third party content and enforce the single origin policy of the browser whose vulnerability is ultimately is the root cause of cross frame scriptingtrustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-54646925516581553292011-02-07T04:29:00.856-05:002011-02-07T04:29:00.856-05:00Good summary.
While all the tips are good in gen...Good summary. <br /><br />While all the tips are good in general, there's a slight inconsistency in the last one. Iframe sandbox not only does not protect you from clickjacking attacks - it facilitates them. Sandboxed iframes cannot by default framebust using Javascript top.location override (the most popular form of framebusting technique). <br /><br />While using X-Frame-Options header would help, it's <br />almost never used ( see e.g. http://twitter.com/#!/mniemietz/status/34182195732025345 )<br /><br />See details of that at http://heideri.ch/jso/#122 <br /><br />It's a not-so-rare case where new security feature breaks up existing defense methods.Anonymoushttps://www.blogger.com/profile/11516786094492717236noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-35531851967782887092011-02-07T01:19:44.486-05:002011-02-07T01:19:44.486-05:00waw... nice info !waw... nice info !heruhttps://www.blogger.com/profile/10847683863703149039noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-19865104229219228972011-02-04T13:15:39.592-05:002011-02-04T13:15:39.592-05:00The cited article of Sun is plain wrong and badly ...The cited article of Sun is plain wrong and badly coded. For instance it doesn't do anything regarding the PushBackInputStream's buffer. Possibly it doesn't do anything for the InputStream's buffer and even less for the SSLEngine/Socket buffer. Zeroing memory sounds good on paper but it's almost impossible to implement either.<br /><br />Java Strings just wrap a char[] and that's all about them, nothing special, unless they are intern()'d or are plain literals. In that case they are persistent in the memory. I can't imagine any sane operation involving intern() w/ password (or any security sensitive information), actually I know very few limited uses of intern() and most developers have never used it.<br /><br />Using strings doesn't change much regarding the security. Like I've told I can't really grasp Sun's article idea about zeroing the memory the char[] holds. If the danger is some memory access, well the GC is free to move around (by copying) data and it's not necessary to zero anything afterwards. So the former location of the char[] holding the password will keep holding it until overriden. No difference with Strings.Stanimir Simeonoffhttps://www.blogger.com/profile/15526543718385237177noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-56217296595269809572010-12-16T10:43:07.306-05:002010-12-16T10:43:07.306-05:00Thank you for this very befitting tribute.
I had...Thank you for this very befitting tribute. <br /><br />I had the pleasure of working with Roman in the late 90's/early 00's, and am a better person for the experience.<br /><br />We had kept in touch over the past decade, and his joy for life, fondness for learning, and adoration of loved ones never ceased to amaze me.<br /><br />The world has lost a great man. My deepest sympathies go out to his wife, young sons, and extended family. I hope they can be comforted by an unending font of warm memories, and the knowledge that they filled his heart & inspired his smile.JBhttps://www.blogger.com/profile/14617553092806626951noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-60788398741102074812010-09-21T08:21:57.042-04:002010-09-21T08:21:57.042-04:00I agree wholeheartedly James. Another important as...I agree wholeheartedly James. Another important aspect is for governments to enact cybercrime security standards and regulations that can be enforced to protects citizens privacy and consumers losses from fraud. Nowdays, cybercrime is a billion dollar business so best practices are not enough as you pointed out, we need new security standards and enforcements of these with liability and responsabilities to enforce them.Marco & Gianlucahttps://www.blogger.com/profile/14092388734894139967noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-46501023924956238572010-09-21T05:35:47.188-04:002010-09-21T05:35:47.188-04:00Cyber threats will continue to evolve and pose cha...Cyber threats will continue to evolve and pose challenge to users, software developers, vendors of security products and organizations. I agree that over the last decade, the motivation behind cyber-attacks has shifted from fame to making profits. Cybercrime has now become an organized activity. With the prospect of countries using cyber war to display their supremacy, public and private organizations are going to have a tough time protecting their networks. In such a scenario, it is important for organizations to take cognizance of the latest cyber threats, assess weaknesses of networks, revisit security policies with changes in threat profile, hire specialists such as <a href="http://www.eccouncil.org" rel="nofollow">ceh</a>, use tested and certified security products and monitor user activity. Government must promote cyber education at all levels to meet the future requirements of cyber experts.jameshttps://www.blogger.com/profile/16154955971728058449noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-52549733627145098302009-11-01T18:19:29.712-05:002009-11-01T18:19:29.712-05:00Perhaps you should consider that a large percentag...Perhaps you should consider that a large percentage of insider breaches are undetectable, so the number you reference is probably underestimated.RU_Trustifiedhttps://www.blogger.com/profile/05287332677529399371noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-40340085895284494662009-10-31T09:30:54.401-04:002009-10-31T09:30:54.401-04:00Do not understand the question...Do not understand the question...trustedconsultanthttps://www.blogger.com/profile/08991822040237275262noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-65468879490571181252009-10-31T06:06:00.636-04:002009-10-31T06:06:00.636-04:00Risk driven security testing query provide better ...Risk driven security testing query provide better facility for encyption through<a href="http://www.bestantivirusreviewed.com/" rel="nofollow"> security software</a> please tell me best recommendable software for this testing.Parneethttps://www.blogger.com/profile/00159611772141595481noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-30756826514549915212009-07-07T10:11:07.980-04:002009-07-07T10:11:07.980-04:00Bookmarked! This is a great review of the issues a...Bookmarked! This is a great review of the issues and pointers to some useful additional information. I wasn't previously aware of Gordon and Loeb's research. For organisations that perhaps don't build software themselves, and only have a single web presence, I've found the COBIT Security Baseline a useful starting point to introduce organisations to the issues and controls required.<br /><br />In this month's ISACA Journal (Vol 4 2009), I have an article <a href="http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/Overview1/Journal/ISACA_Journal_Home.htm" rel="nofollow">COBIT Security Baseline Applied to Business Web Applications - A<br />Practical Approach for All Sizes of Organisations</a>.Clerkendwellerhttps://www.blogger.com/profile/14277606420549501506noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-26911037099899639862009-03-31T20:01:00.000-04:002009-03-31T20:01:00.000-04:00I seriously doubt that Yahoo didn't realize how ri...I seriously doubt that Yahoo didn't realize how ridiculous their questions were. My money is on "the security guys have been screaming for years, but the business just didn't give a shit."N074H4x0rhttps://www.blogger.com/profile/16369987091857621268noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-54565042885639587012008-11-06T06:29:00.000-05:002008-11-06T06:29:00.000-05:00From enterprise practices, it's not cost-saving to...From enterprise practices, it's not cost-saving to use OSS compared against COTS, unless your HR cost could be controlled very well. <BR/><BR/>=Richard= <BR/>http://sbin.cn/blogRichard Zhaohttps://www.blogger.com/profile/09780677053449509603noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-32053675312643185862008-08-27T15:39:00.000-04:002008-08-27T15:39:00.000-04:00The 2008 IMI Security Symposium is taking place on...The 2008 IMI Security Symposium is taking place on October 3, 2008.Anonymoushttps://www.blogger.com/profile/06066964150005357843noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-14179302114809401022008-05-23T09:24:00.000-04:002008-05-23T09:24:00.000-04:00This comment has been removed by the author.hamidhttps://www.blogger.com/profile/06273845769554846105noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-79949733237829970562008-05-15T14:11:00.000-04:002008-05-15T14:11:00.000-04:00Nice writeup!Nice writeup!Chrishttps://www.blogger.com/profile/08839055127124585185noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-11658050923047719372008-05-13T08:03:00.000-04:002008-05-13T08:03:00.000-04:00A bit late on this one, however I found it benefic...A bit late on this one, however I found it beneficial. If you have anything more of can point me to some more resources for quantifying risk. Please let me know.Maurice Wittenhttps://www.blogger.com/profile/18381188539073089510noreply@blogger.comtag:blogger.com,1999:blog-17906156.post-21940475009955687262008-03-25T21:24:00.000-04:002008-03-25T21:24:00.000-04:00Marco, I didn't see you at OWASP tonight. Does th...Marco, I didn't see you at OWASP tonight. Does that mean you're spending some time in Italy before the 3/31 presentation? :)<BR/><BR/>Let your vote count! Take a moment to answer Marco's poll questions.Anonymousnoreply@blogger.com