HackDig : Dig high-quality web security articles for hacker

Considerations on DMZ Design in 2016, Part 1

I’m currently involved in a “DMZ Redesign” effort in a sufficiently large enterprise (800+ hosts in “the DMZ”) and I thought this might be an opportunity to reflect on some aspects of “DMZ networks” in a series of posts. Some of you already know that, at ERNW, we have a tendency to discuss stuff starting with some f
Publish At:2016-08-27 07:30 | Read:4346 | Comments:0 | Tags:Uncategorized Design DMZ

‘Wicked’ Problems in Information Security

Incorporating security activities into the natural workflow of productive tasks makes it easier for people to adopt new technologies and ways of working, but it’s not necessarily enough to guarantee that you’ll be able to solve a particular security-usability issue. The reason for this is that such problems can be categorised as wicked.Rittel and Webber in ‘
Publish At:2016-08-22 14:25 | Read:4460 | Comments:0 | Tags:Featured Articles Design problem security solution usability

Security and Usability

Many employees find information security secondary to their normal day-to-day work, often leaving their organisation vulnerable to cyber attacks, particularly if they are stressed or tired.When users perform tasks that comply with their own mental models (i.e. the way that they view the world and how they expect it to work), the activities present less of a
Publish At:2016-08-16 12:00 | Read:3315 | Comments:0 | Tags:Featured Articles Design John Maeda security The Laws of Sim

AppSensor Guide v2.0.2

I have published an updated version of the OWASP AppSensor Guide, the guide to application-specific real time attack detection and response.The v2.0.2 AppSensor Guide is available free of charge digitally in DOC and PDF formats, and in print at cost from Lulu.This is a minor update that includes:Reference the extensive work on the reference code implementati
Publish At:2015-07-28 16:35 | Read:2917 | Comments:0 | Tags:testing development design threats technical specification m

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (
Publish At:2015-07-07 17:20 | Read:3246 | Comments:0 | Tags:awareness legislation PCIDSS design technical specification

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:Time-of-Check-Time-of-Use (TOCTOU) and race condition issuesParameter manipulationReplay attacks (capture-replay)Rounding issuesNumerical processingCard number-relat
Publish At:2015-06-20 13:05 | Read:3245 | Comments:0 | Tags:testing development PCIDSS design threats technical specific

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful
Publish At:2015-06-15 13:30 | Read:2789 | Comments:0 | Tags:development design threats technical specification monitorin

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the u
Publish At:2015-06-02 19:55 | Read:2422 | Comments:0 | Tags:legislation administrative design technical privacy specific

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.In a change to last year's report the authors of 2015 State of Application Security: Closing theGap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.Jim Bird, Eric Johnson and Frank Kim a
Publish At:2015-05-18 09:00 | Read:3082 | Comments:0 | Tags:testing information assurance disposal development maturity

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organ
Publish At:2015-05-09 22:15 | Read:3725 | Comments:0 | Tags:requirements SDLC testing development owasp projects appsece

Snakes & Ladders Coming To Shoreditch

A week on Monday, on the 11th May, I will be speaking during the MAKE day at this year's Digital Shoreditch.The Digital Shoreditch Festival 2015 is a two week mass-community celebration with participants from the world of tech, creative, and all related industries, running from 11th to 24th May. The schedule for the main programme (11th-15th May) has a separ
Publish At:2015-05-01 16:30 | Read:2963 | Comments:0 | Tags:vulnerabilities design technical threats testing requirement

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developer
Publish At:2015-04-24 20:20 | Read:3756 | Comments:0 | Tags:incidents logging operation automation specification technic

Participate in the OWASP Project Summit in Amsterdam

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with ot
Publish At:2015-03-31 15:30 | Read:3507 | Comments:0 | Tags:testing corrective operation maturity preventative technical

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host M
Publish At:2015-03-06 06:40 | Read:4291 | Comments:0 | Tags:corrective administrative specification technical threats op

User Interface Modifications to Combat Buyer Fraud

A paper published for the 2015 Network and Distributed System Security (NDSS) Symposium in February describes user interface modification techniques to address liar buyer fraud, and the results of experiments assessing the potential for these to reduce ecommerce fraud losses.Liar Buyer Fraud, and How to Curb It authors Markus Jakobsson, Hossein Siadati and M
Publish At:2015-03-03 14:50 | Read:2476 | Comments:0 | Tags:defense administrative preventative threats operation awaren

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud