Server Limits for Apache Security
Thursday, January 17th, 2008Security Experts Expose Costly Vulnerability in Second Life
Sunday, December 2nd, 2007Second Life users need to be cautious with Quicktime embedded videos in the game as it may be used to pick your pocket of Linden Dollars. Charles Miller and Dino Dai Zovi, of Independent Security Evaluators, have found that by using a flaw in Quicktime, they can not only pick the ...
PayPal Groks Security?
Wednesday, November 21st, 2007Via Jeremiah, I see that PayPal's new vulnerability disclosure policy includes an amnesty clause for well-intentioned security researchers: To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all t...
iPhone Security Concern
Monday, July 2nd, 2007Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part: The AT&T/Cingular voicemail system is configured by default not to ask for a pa...
Planet Web Security
Friday, June 29th, 2007If you want to keep up with the latest in web application security, you might want to add Planet Web Security to your reading list. In his announcement, Christian Matthies offers this brief description: I am pleased to announce the launch of Planet We...
User Authentication and PHP Security
Wednesday, February 21st, 2007So far we have covered security vulnerabilities that involve form data databases and file systems. In this article we are going to look at authentication and the security issues around it. We will also look at some of the most common attacks in this field.... InSpec Software Review Management Tool ...
An Introduction to PHP Security
Wednesday, February 14th, 2007Since its introduction in 1994 or thereabouts the PHP language has grown to become the most popular scripting language in the world of server side scripting and now powers most of the web s most visited sites. With this popularity came new concerns such as performance maintainability ...
An Introduction to Security Measures in Apache 2.2
Tuesday, January 30th, 2007This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step and not intended as the only step if you are configuring a commercial web server.... Refurbished and Used ...
YouTube Fixes Security Vulnerability
Thursday, December 21st, 2006Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the pro...
PHP Security
Thursday, December 14th, 2006I've just been misquoted on Slashdot, as if I said there are no security problems in PHP itself, and that I instead point my finger only at inexperienced developers. If you read the original article on Heise Security, you'll see that I have not said anything of the sort. While ...
Ajax Security
Wednesday, December 13th, 2006Recently, Jeremiah posted an article about Ajax security. He's a good writer and manages to clarify some misconceptions, but I disagree with one of his points about XSS. (I'll get to that in a minute.) His discussion on XSS begins with a question and (...
Security 2.0 at Web Builder 2.0
Friday, December 1st, 2006I'll be giving a talk about Security 2.0 on Tuesday at Web Builder 2.0 in Las Vegas: Web 2.0 has been described as many things. It's the Web as a platform, a network of networks, the architecture of participation. However you choose to define it, the ...
MySQL Security Overview
Monday, November 27th, 2006When should you start to worry about MySQL security When you start to use the MySQL server over an Internet connection. Why Because that is when your MySQL server is going to be the most vulnerable to all kinds of attacks such as alterations and denial of ...
Google Code Search for Security Vulnerabilities
Friday, October 6th, 2006Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search: Google's code search provides an easy way to find obvious software flaws in open source and example applica...
Breach Security Acquires Thinking Stone
Wednesday, September 27th, 2006From Ivan's blog: It gives me great pleasure to announce that Thinking Stone and ModSecurity have been acquired! We will be joining forces with Breach Security, a company also focused on the web application firewall market. For anyone unfamiliar with...
Interesting Security Blogs
Saturday, August 19th, 2006I blog about a number of topics here at shiflett.org, and a favorite one is web application security. A reader recently asked for some other security blog recommendations, so I thought I'd mention a few of the ones I try to keep up with. Although not ...
Rails Security and Nondisclosure
Friday, August 11th, 2006Since the announcement of a "serious security concern" in Rails yesterday, many people have taken the opportunity to criticize the Rails project as being too immature for "enterprise" use. I think that's overly harsh, but there are some very valid con...
Security Issues with MySQL
Friday, July 14th, 2006If you maintain a MySQL database you understand the importance of security. This article covers that topic in detail. The first of several parts it is excerpted from chapter 12 of the em MySQL 5. Certification Guide em written by Paul Dubois et ...
OmniTI Seeks Junior Security Analyst
Friday, July 14th, 2006Are you a good PHP developer searching for a cool place to work? OmniTI (where I work) employs several industry leaders, including Theo Schlossnagle, George Schlossnagle, Laura Thomson, and Wez Furlong. We do lots of interesting, challenging work for ...
PHP Security Hoedown at OSCON
Wednesday, July 12th, 2006For those of you attending OSCON in a couple of weeks, you might be interested in the PHP Security Hoedown BOF being hosted Wednesday night by Ed Finkler of CERIAS: An open discussion about the current state of PHP security. Are we making progress? Wh...
PHP Security by Example
Saturday, July 8th, 2006Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two. About a week ago, the Flash version of PHP Security by Example was Dugg. I'm always disappointed to see trolls (Digg s...
Security: Digg Versus Furl
Wednesday, February 15th, 2006While adding links to my feed, I noticed similar security vulnerabilities in both Digg and Furl. (Josh Ribakoff of DevNetwork Forums played a part in discovering Furl's vulnerability.) Of course, I immediately notified each of them and offered a simpl...
Essential PHP Security Slashdotted
Tuesday, February 14th, 2006Thanks to everyone who wrote to let me know that Essential PHP Security was Slashdotted yesterday. Slashdot still amazes me. I think the book's Amazon.com Sales Rank is a testament to the power of Slashdot: Here's a closer view: The review is v...
PHP Security and SABSA
Tuesday, January 31st, 2006Andrew van der Stock has started providing more details about a proposed security architecture for PHP, beginning with the SABSA (Sherwood Applied Business Security Architecture) approach. This approach is broken down into layers: Contextual ...
