14Feb/100

Found: Nice OWASP Top 10 Cheat Sheet

I discovered this very useful, developer-centric cheat sheet for the OWASP Top 10 for 2010 (go directly to the pdf). It's nice and concise and gets straight to the simplest code fixes that will work. Memorize it and your code will be better than it was before. Better, stronger, faster...

Here's the current OWASP 2010 Top 10 list (this is release candidate 1, so it could change):

  1. Injection
  2. Cross Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Failure to Restrict URL Access
  8. Unvalidated Redirects and Forwards
  9. Insecure Cryptographic Storage
  10. Insufficient Transport Layer Protection

If you are a developer and you don't know what some of these security risks are OWASP top 10 cheat sheetand how to avoid them in your code, then you should be reading this: OWASP Top 10 2010 RC1 (pdf).

Filed under: Security No Comments
2Apr/090

Be a Wizard of SSL

SSL Tricks and Tips

Many of the developers I've worked with treat SSL as if it's the carrier of a new and virulent plague or the product of evil magic. They duck and run for cover whenever the boss shows up looking for someone to battle a new error. Having not ducked fast enough, I've found myself face-to-face with SSL on many occasions, and have survived to overcome the intimidation factor and tell you that solving most SSL problems is a snap and anyone can learn to do it. By becoming the SSL go-to person in your IT department, you'll win fame and recognition as the great defender against evil magic. I reveal below these mysterious secrets of common SSL problems and some simple tricks and tips for solving them.

Expired Certificate

Probably the most common problem is that the certificate can expire. When the certificate expires, the site breaks. You can view the certificate in your browser to see the expiration date when you try to load a page that is using an expired certificate. This is usually accomplished by right clicking on something, and differs by browser, so I'll leave you to learn how to view the certificate in your preferred browser.

Solution: Purchase a new certificate and follow the instructions to install it.

If you already did purchase and install a new certificate and you're still having problems, then it's likely a configuration issue, so check the "Certificate Configuration" section below.

Filed under: Security Continue reading
18Jan/090

Do You Verify Your Downloads?

Do you verify the integrity of your downloads?

I saw a notice announcing a new release of Apache Tomcat Native this morning, and when looking at the page, saw the usual notice, as follows:

"Use the links below to download Tomcat Native from one of our mirrors. You must verify the integrity of the downloaded files using signatures downloaded from our main distribution directory."

That made me wonder how many people who download actually do verify the integrity of their downloads? I know I do, but I've worked with developers who don't. It would be interesting to do a poll on that. I'd also be interested in knowing of any cases where the integrity verification failed. I've never had one fail.

Filed under: Security No Comments
12Jan/090

Top 25 Dangerous Programming Errors

Presenting the "CWE/SANS TOP 25 Most Dangerous Programming Errors" (more detail and pdf available here ).

This is an excellent, excellent list of very common programming errors that can and should always be easily avoided by the use of common sense and paying attention to what we're doing. They're presented in three categories: Insecure Interaction Between Components (think XSS), Risky Resource Management, and Porous Defenses.

CATEGORY: Insecure Interaction Between Components

  • CWE-20: Improper Input Validation
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
  • CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
  • CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-362: Race Condition
  • CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management

  • CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642: External Control of Critical State Data
  • CWE-73: External Control of File Name or Path
  • CWE-426: Untrusted Search Path
  • CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
  • CWE-494: Download of Code Without Integrity Check
  • CWE-404: Improper Resource Shutdown or Release
  • CWE-665: Improper Initialization
  • CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses

  • CWE-285: Improper Access Control (Authorization)
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259: Hard-Coded Password
  • CWE-732: Insecure Permission Assignment for Critical Resource
  • CWE-330: Use of Insufficiently Random Values
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-602: Client-Side Enforcement of Server-Side Security

Read the full article and please use this list on your next software project. If you need further information and/or assistance in securing your code, OWASP is a great resource, check them out and help to support them.

Filed under: Security No Comments
17May/080

An Ode to SSL

SSL, oh SSL
you're not working very well
if only you were trouble-free
oh how happy I would be

Filed under: Security No Comments
   Older Entries »
twitter delicious
safe to click,
no evil Javascript on these links

Menu

Ubuntu Linux

Gentoo Linux

LinuxChix button

Recent Posts

Geek News RSS