Smart Security Shop

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 20 October 2006

Design Considerations for Security

Posted on 00:31 by Unknown
1. Do not trust on Client-User Input. Security decisions should not rely on client-side validations; they are made on the server side

2. Identify application to fail gracefully. An approach to exception management should be such that does not reveal any internal software information.

3. Partition the application into public accessible and restricted areas. Isolate higher privileged sections of the application.

4. Granular authorization check for pages and directories.

5. Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security

6. Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores
Read More
Posted in Design, Security | No comments

Thursday, 12 October 2006

Firefox popups

Posted on 00:22 by Unknown
Firefox popups

Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see occasional popups.

It turns out that some clever people figured out that you could launch popups from Flash, getting around the Firefox default settings.

Fortunately, you can get around it:

1. Type about:config into the Firefox location bar.
2. Right-click on the page and select New and then Integer.
3. Name it privacy.popups.disable_from_plugins
4. Set the value to 2.

The possible values are:

* 0: Allow all popups from plugins.
* 1: Allow popups, but limit them to dom.popup_maximum.
* 2: Block popups from plugins.
* 3: Block popups from plugins, even on whitelisted sites.
Read More
Posted in Browsers, Internet | No comments

Wednesday, 11 October 2006

Perspective of Performance and Security in IT

Posted on 23:32 by Unknown

Performance and security are like brothers in IT. They are similar and yet they fight each other at times.

Both performance and security are important inherent qualities in IT systems. Who would not want a fast and secured IT system? You want your home computer to be fast and secured. The bank CEO wants his Internet banking system to be fast and secured for his customers.

This was a very nice article on ACE Team Blog. If you wish to read more...

Here it is: http://blogs.msdn.com/ace_team/archive/2006/07/03/655524.aspx
Read More
Posted in Load Testing, Performance Testing, Security | No comments

The Oracle Global Product Security Blog

Posted on 22:01 by Unknown
Have you ever seen this?

The Oracle Global Product Security Blog

Oracle getting committed on security by providing rating to vulnerabilities at the security blog...:)

Security researchers have criticized Oracle in the past for the time the company has taken to fix vulnerabilities.

In July 2005, security experts at Red Database Security outed six flaws, claiming that the company had more than 650 days to fix the security issues.


Peter Finnigan, who first noted the change in policy has provided a great list of tools for auditing and testing oracle databases. If you get a chance, do visit his site at :
http://www.petefinnigan.com

Read More
Posted in Security | No comments

Developing More-Secure Microsoft® ASP.NET 2.0 Applications Now Available

Posted on 21:57 by Unknown
A new book in the Secure Software Development Series, this time from Dominick Baier is now available from Microsoft Press.

It covers ASP.NET 2.0 security features as well as security defenses and design and coding best practices. There’s also a chapter on the not-so-well-understood aspect of building and deploying least-privilege and partial trust ASP.NET 2.0 applications. This is a must-read chapter for Web site hosters.

You can get more info about the book here.
Read More
Posted in Security | No comments

Monday, 9 October 2006

Posted on 01:46 by Unknown
Spoofing threats are usually associated with a wily hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security.

Tampering with data involves the malicious modification of system or user data with or without detection.

Repudiation threats are associated with users—malicious or otherwise—who can deny performing an action without administrators having any way to prove otherwise. An example of a reputability threat is a user performing an illegal operation in a system that lacks the ability to trace such operations.

Information disclosure threats involve the compromising of private or business-critical information through the exposure of that information to individuals who are not supposed to see it.

Denial of service (DoS) threats when carried out deny service to valid users—for example, by making the system temporarily unavailable or unusable or by forcing a reboot or restart of the user’s machine.

Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.
Read More
Posted in Security | No comments
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

Popular Posts

  • Registrations for OWASP Mumbai Meet [31st July 15:00hrs]
    Hi All, Everyone is welcome to join us at our next chapter meet to be held on Monday , 31 st of July. Registrations for the eve...
  • Free Web Proxy List
    A web proxy is becoming more and more important in todays internet. Schools and Companys tend to block sites pretty quickly nowadays, especi...
  • How do you use RSA for both authentication and secrecy?
    RSA is based upon public key/private key concept. For authentication one can encrypt the hash (MD5/SHA) of the data with a private key. This...
  • Does the code use MapPath?
    Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ...
  • New Rogue Security Product: Smart Antivirus 2009
    Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008 Smart Antivirus 2009 Home page Typical fake/Scare ...
  • Impersonation without Windows Authentication
    How to Impersonate the Original Caller without Windows Authentication When using non-windows authentication like Certificate Authentication ...
  • Firefox popups
    Firefox popups Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see oc...
  • Spam - It also impacts the environment
    McAfee has released The Carbon Footprint of Email Spam Report . The study looks at the global energy expended to create, store, view, and fi...
  • Botnet Attack Details from Kaspersky
    One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The st...
  • Can Security be incorporated in the Computer Science & IT courses?
    Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT softwa...

Categories

  • Account Lockout
  • Anti-XSS
  • Antivirus
  • Application Security
  • AppSec Conference
  • ASP.NET
  • Attacks
  • Authentication
  • Banks
  • Botnets
  • Break
  • Broadband
  • Browsers
  • Change Management
  • Citibank
  • Clear Text Secrets
  • Computer Performance
  • Computer Security
  • Credit Card
  • Cyber Security
  • Cyber Terrorism and Economy
  • Data Validation
  • Database Security
  • Defragmentation
  • Design
  • Developer Training
  • Development Tools
  • DSS
  • eCrime
  • Education
  • Encryption
  • Ettercap
  • Exchange 2007
  • facebook
  • Frauds
  • Google Hacking
  • Hacking
  • ICICI Bank
  • India Leaders
  • Internet
  • IRCTC
  • Java
  • Legal
  • Live Demo
  • Load Testing
  • Mail Security
  • Malware
  • Mastek
  • Message Security
  • Mobile Security
  • Money Laundering
  • News
  • one time password
  • Online
  • Oracle
  • OWASP
  • PC Errors
  • PCI
  • Performance Testing
  • Phishing
  • Popular Posts
  • Punishment
  • Requirement Engineering
  • Retail
  • Rouge
  • Routers
  • Rugged
  • Security
  • Security Industry
  • Security Management
  • Security Requirements
  • Security Tools
  • Sensitive Data
  • Sniffing
  • Social Networking
  • Software Industry
  • Solutions Community
  • Spams
  • SQL Injection
  • SSL
  • Sudhakar Ram
  • Summer of Code
  • SUN
  • Technology
  • Testing
  • Thick Client Security
  • Third Wave
  • Times of India
  • Typo Squatting
  • UI Security
  • University Programs
  • Virtual Keyboard
  • Virtualization
  • WCF 3.5
  • Web 2.0
  • Web Applications
  • Web Security
  • Web Services
  • WiFi
  • Windows
  • Workshops
  • X.509 Certificates
  • XSS

Blog Archive

  • ►  2011 (5)
    • ►  September (1)
    • ►  July (2)
    • ►  March (2)
  • ►  2010 (5)
    • ►  November (1)
    • ►  June (1)
    • ►  March (1)
    • ►  January (2)
  • ►  2009 (19)
    • ►  December (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  July (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (4)
    • ►  March (2)
    • ►  February (2)
    • ►  January (2)
  • ►  2008 (29)
    • ►  December (7)
    • ►  November (2)
    • ►  September (3)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  April (3)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (29)
    • ►  December (2)
    • ►  November (3)
    • ►  October (11)
    • ►  September (5)
    • ►  August (2)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ▼  2006 (36)
    • ►  December (1)
    • ►  November (3)
    • ▼  October (6)
      • Design Considerations for Security
      • Firefox popups
      • Perspective of Performance and Security in IT
      • The Oracle Global Product Security Blog
      • Developing More-Secure Microsoft® ASP.NET 2.0 Appl...
      • Spoofing threats are usually associated with a wil...
    • ►  September (3)
    • ►  August (4)
    • ►  July (3)
    • ►  June (1)
    • ►  May (5)
    • ►  April (2)
    • ►  March (4)
    • ►  February (1)
    • ►  January (3)
  • ►  2005 (20)
    • ►  December (6)
    • ►  November (14)
Powered by Blogger.

About Me

Unknown
View my complete profile