HackDig : Dig high-quality web security articles for hacker

AppSensor Guide v2.0.2

I have published an updated version of the OWASP AppSensor Guide, the guide to application-specific real time attack detection and response.The v2.0.2 AppSensor Guide is available free of charge digitally in DOC and PDF formats, and in print at cost from Lulu.This is a minor update that includes:Reference the extensive work on the reference code implementati
Publish At:2015-07-28 16:35 | Read:1856 | Comments:0 | Tags:testing development design threats technical specification m

Web Application Firewall Magic Quadrant 2015

Gartner has published an updated "magic quadrant" report about Web Application Firewall (WAF) vendors.Sixteen vendor offerings are assessed. To be included, the product has to be actively marketed, use techniques designed for web security, and not just use attack signature-based approach found in other devices such as next-generation firewalls and
Publish At:2015-07-21 09:15 | Read:2373 | Comments:0 | Tags:threats technical firewalls corrective detective operation

HTTP Strict Transport Security (HSTS) Preload Lists

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS
Publish At:2015-07-07 17:20 | Read:1506 | Comments:0 | Tags:administrative SSL preventative technical operation policies

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (
Publish At:2015-07-07 17:20 | Read:2065 | Comments:0 | Tags:awareness legislation PCIDSS design technical specification

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:Time-of-Check-Time-of-Use (TOCTOU) and race condition issuesParameter manipulationReplay attacks (capture-replay)Rounding issuesNumerical processingCard number-relat
Publish At:2015-06-20 13:05 | Read:1523 | Comments:0 | Tags:testing development PCIDSS design threats technical specific

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful
Publish At:2015-06-15 13:30 | Read:1612 | Comments:0 | Tags:development design threats technical specification monitorin

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the u
Publish At:2015-06-02 19:55 | Read:1408 | Comments:0 | Tags:legislation administrative design technical privacy specific

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document
Publish At:2015-05-28 05:05 | Read:2195 | Comments:0 | Tags:requirements legislation physical administrative preventativ

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.In a change to last year's report the authors of 2015 State of Application Security: Closing theGap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.Jim Bird, Eric Johnson and Frank Kim a
Publish At:2015-05-18 09:00 | Read:1822 | Comments:0 | Tags:testing information assurance disposal development maturity

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organ
Publish At:2015-05-09 22:15 | Read:2028 | Comments:0 | Tags:requirements SDLC testing development owasp projects appsece

Snakes & Ladders Coming To Shoreditch

A week on Monday, on the 11th May, I will be speaking during the MAKE day at this year's Digital Shoreditch.The Digital Shoreditch Festival 2015 is a two week mass-community celebration with participants from the world of tech, creative, and all related industries, running from 11th to 24th May. The schedule for the main programme (11th-15th May) has a separ
Publish At:2015-05-01 16:30 | Read:1804 | Comments:0 | Tags:vulnerabilities design technical threats testing requirement

Summary of Last Year's ICO Enforcement Action

PwC UK has published a summary of enforcement actions taken by the Information Commissioner's Office (ICO) in 2014.The Privacy and Security Enforcement Tracker 2014 summarises and comments on information originally published by the ICO on its web site concerning actions it has taken against organisations. This includes enforcement notices, monetary penalty n
Publish At:2015-04-28 06:00 | Read:1873 | Comments:0 | Tags:administrative privacy corrective identity data protection t

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developer
Publish At:2015-04-24 20:20 | Read:2200 | Comments:0 | Tags:incidents logging operation automation specification technic

Data Breach Investigations Report 2015

The Verizon annual Data Breach Investigations Report was published last week.The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.A breakdown by industry sector is provided. The 2015 DBIR
Publish At:2015-04-21 10:35 | Read:2037 | Comments:0 | Tags:vulnerabilities administrative incidents threats operation t

London Insurance Markets and Cyber Risk Insurance

The UK government has published a report on the role of insurance markets in managing and mitigating cyber risk. UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk describes how insurance can be another mechanism for cyber risk reduction, encouraging steps to reduce risk through reduced premiums, and providing insight from claims an
Publish At:2015-04-17 08:35 | Read:2008 | Comments:0 | Tags:administrative technical corrective physical insurance

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud