Posted by Brett Hardin on 6th July 2009
Reading time: 2 – 2 minutes
When developing a security strategy for web applications many companies have no idea where to begin. The Open Web Application Security Project (OWASP) understood this problem and developed the OWASP Top 10.
The OWASP top 10 are the top 10 vulnerabilities that are found in web applications. If you have an hour or don’t want to read all of these posts, you can simply watch a video.
If you are a developer, you should understand these vulnerabilities. Understanding them is critical into introducing less vulnerabilities into your code.
The OWASP Top 10:
A1 – Cross Site Scripting (XSS)
A2 – Injection Flaws
A3 – Malicious File Execution
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Information Leakage and Improper Error Handling
A7 – Broken Authentication and Session Management
A8 – Insecure Cryptographic Storage
A9 – Insecure Communications
A10 – Failure to Restrict URL Access
6Jul
Posted by Brett Hardin on 20th May 2009
Reading time: 2 – 3 minutes
Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the “5 Key Factors of Complexity.”
He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are “resistant to human frailty.” He goes on to state, that designing these systems (by reducing complexity) is difficult.
According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:
- Threats
- Compliance
- Technology
- Economics
- Business Needs
Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors… Threats. He argues, If an enterprise doesn’t focus on compliance, they are fined. If a business doesn’t focus on business needs, the business can’t change.
“It’s like building the titanic. The ship’s designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn’t get out of the way of the iceberg. The Titanic’s designers focused on size, strength, resilience, and luxury but not on maneuverability.”
I think Mr. Truskowski’s talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.
The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)
20May
