Please sign up to be notified of new articles:
...or Feed icon click here to subscribe to this blog's feed [What are feeds?]

Main

Secure Coding Archives

November 30, 2006

Wietse on secure programming traps and pitfalls

At Hack.lu 2006, "a three days conference in the center of Europe for bridging ethics and security in computer science," Wietse Venema (author of Postfix, etc.) did a presentation on secure programming traps and pitfalls: he analyzed "a very small program that appears to be obviously correct, yet completely fails to perform as expected, for more reasons than many people can think of."

Wietse took the example of a broken file shredder, which is defeated by operating systems and hardware optimizations (e.g., caches, journaling file systems, etc.). The last three slides of his presentation (PowerPoint) are a must read.

Posted by Laurent in Secure Coding, Security on November 30, 2006 1:19 AM | | Comments (0)

April 20, 2006

Security incidents in web-based applications

According to the Web Application Security Consortium (WASC), XSS and SQL injection remain the most popular attack vectors being exploited in public incidents. Further details can be found in the Web Hacking Incidents Database (WHID), which was updated today.

The chart below illustrates the number of public incidents registered per year:

(*): Projected number of incidents for year 2006 

A broader list of vulnerabilities is listed in OWASP Top Ten, which ranks the most critical web application security flaws.

Posted by Laurent in Injection, Secure Coding, Security, Technologies, Threats, Web Applications, XSS on April 20, 2006 6:34 PM | | Comments (0)

March 3, 2006

Anti-XSS Library for .NET

Microsoft released an anti-cross site scripting library for its .NET Framework. It can be freely downloaded here.

Posted by Laurent in Companies and Products, Microsoft, Secure Coding, Security, Threats, XSS on March 3, 2006 8:31 PM | | Comments (0)

February 18, 2006

More spam sent through web sites

This interesting article (in French) warns webmasters about the "latest" spammers' techniques to exploit e-mail forms (i.e. FromMail.pl).  It consists in injecting recipients in the From: field.  We told you before: you shall never trust user input. :-)

Posted by Laurent in Injection, Secure Coding, Security, Spam, Technologies, Threats, Web Applications on February 18, 2006 2:00 AM | | Comments (0)

About Secure Coding

This page contains an archive of all entries posted to never-ever-****-with-my.net in the Secure Coding category. They are listed from newest to oldest.

Patch Management is the previous category.

Survey is the next category.

Many more can be found on the main index page or by looking through the archives.

Author & Licensing

My name is Laurent de la Vaissière. I am an IT Audit and Security consultant working for a professional services firm.
The views expressed on this web site are mine alone and do not necessarily reflect the views of my employer.

Creative Commons License
This weblog is licensed under a Creative Commons License.