Security Balancetrying to bring balance to the Force |
 |
This PoC from Didier Stevens clearly shows how stupid is to allow PDFs to start new processes. We’ll end up creating bloated monsters like the current browsers to deal with these files. Can someone please “strip down” the PDF format to something that makes sense again??? I wonder what happened to “pure data” formats; [...]
I was reading a nice post from Gunnar Peterson about APTs. His making the point that everybody is excited about this “oh huge threat oh oh” stuff from the Google x China incident but in fact we should be worried about properly engineering the systems we depend on. I like his analogy of blaming the big [...]
For those who are addicted to vulnerability information feeds, you are probably already aware of the XML Libraries data parsing vulnerabilities. This is the kind of vulnerability that creeps me out. When you’ve got vulnerabilities related to an easily identifiable software, like “Windows 2008″, “Firefox 3.5″ or “Java Runtime Environment 6″, it is easy to [...]
This SANS Diary entry from Bojan Zdrnja is a very good explanation about how an apparently non-exploitable SQL Injection condition can be used to get important information from the database. Just by looking at one of the sample injected SQL statements you can see how complex a SQL Injection attack can be: event = tr’ [...]
IBM has scheduled a interesting webinar for April 15th. I don’t know if it will be entirely “see how nice our product’s features are”, but as I’ve been recently blogging about how middleware happens to be a frequent blind spot, that may be something interesting to follow. You can also see some interesting posts from [...]
As usual, another very nice post from Mike Rothman, this time about application security. He is mentioning the BSI-MM model, that I mentioned here too in the context of measuring the outcome of security measures. Mike also mentioned, again, the need to REACT FASTER (have I said how nice his “Pragmatic CSO” stuff is?) and [...]
I’ve just read this small article from Paul Graham, called “The other half of ’Artists Ship’”. The key point of the text is this: “For good programmers, one of the best things about working for a startup is that there are few checks on releases. In true startups, there are no external checks at all. If [...]
Richard Mogull mentions on his blog today the concepts of adaptative Authentication and Authorization. In short, from his post: “User: This is an area I intend to talk about in much greater depth later on. Basically, right now we rely on static authentication (a single set of credentials to provide access) and I think we [...]
My friend Victor is back to the blogosphere. He built a blog platform just for his new blog, Visigodos.org. He blogs about a series of things, but mostly on software development and security. His last post (VP, you need to develop something to link directly to an specific post!) about vulnerabilities related to debugging code [...]
I really promised to myself that I would avoid “look at this post from X” posts here. But today is Friday and I’ve just read something that was so perfectly written and fun that I will break that promise: Read this, from Gunnar Peterson!
