Integrating Vulnerability Scanners and Web Application Firewalls

Posted on June 6, 2008

As I mentioned in my previous post - What’s the Score of the Game - I feel that one of areas where organizations are failing, with regards to web application security, is that there is a lack of communication between the following three

» Filed Under filtering input | Leave a Comment

Security Requirements for Software Development

Posted on June 6, 2008

For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping If language is J2EE, documentation of the J2EE Security Manager settings should be provided Do not use GET requests (URLs) for

» Filed Under programming | Leave a Comment

The Telling of One Billion Ghost Stories (draft) - Part 29

Posted on June 6, 2008

Few resources were being wasted on an escape tunnel that would rarely be used. The far end brought them to a set of double doors, these ones opening with no more than a simple latch. Once inside, further high security had been made

» Filed Under programming | Leave a Comment

Top 10 Linux Commands Anyone Can Use

Posted on June 6, 2008

This command receives input from STDIN (Standard Input) and allows you to page through the output. This is useful with the command mentioned above. What if you have too much data for your shell’s output buffer? You can’t scroll up.

» Filed Under programming | Leave a Comment

DoS attacks using wildcards

Posted on June 5, 2008

Say, your web application processes all this data and shows it back to the user, and your code doesn’t check number of records that has been asked for, then your application is also affected. An application level DoS.

» Filed Under filtering input | Leave a Comment

Re: Best practice for validation

Posted on June 5, 2008

Zend_Form handles input filtering, so it can be dropped in as a > replacement for Zend_Filter_Input (another option you didn’t specify) as > an input filter for your model. Just because Zend_Form _can_ render

» Filed Under filtering input | Leave a Comment

PHP Security / SQL Security - Part 1

Posted on June 5, 2008

Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively

» Filed Under programming | Leave a Comment

PHP / SQL Security - Part 2

Posted on June 5, 2008

In the previous article, I looked at processing and securing user input when it is to be redisplayed or executed as PHP code. Now its time to consider entering that data into a database, and cover the security issues which arise when

» Filed Under security | Leave a Comment

RailsConf 2008 Recap

Posted on June 3, 2008

Take advantage of the quote() function to sanitize user input (for SQL). Cross Site Scripting preventive measures: SafeERb, XSS Shield, Manual Escaping with h(). Tarantula plugin crawls everything and performs form fuzzing.

» Filed Under programming | Leave a Comment

[WEB SECURITY] question about anti-xss applicability of PHP's …

Posted on June 2, 2008

Hi all,I’ve been trusting PHP’s htmlentities() to escape to HTML for a long time now on several customer site and I want to be sure that it’s secure. I am specifying UTF-8 as my charset in XHTML headers, so I don’t think alternative

» Filed Under security | Leave a Comment

keep looking »