Smart Security Shop

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 20 October 2006

Design Considerations for Security

Posted on 00:31 by Unknown
1. Do not trust on Client-User Input. Security decisions should not rely on client-side validations; they are made on the server side

2. Identify application to fail gracefully. An approach to exception management should be such that does not reveal any internal software information.

3. Partition the application into public accessible and restricted areas. Isolate higher privileged sections of the application.

4. Granular authorization check for pages and directories.

5. Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security

6. Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores
Read More
Posted in Design, Security | No comments

Thursday, 12 October 2006

Firefox popups

Posted on 00:22 by Unknown
Firefox popups

Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see occasional popups.

It turns out that some clever people figured out that you could launch popups from Flash, getting around the Firefox default settings.

Fortunately, you can get around it:

1. Type about:config into the Firefox location bar.
2. Right-click on the page and select New and then Integer.
3. Name it privacy.popups.disable_from_plugins
4. Set the value to 2.

The possible values are:

* 0: Allow all popups from plugins.
* 1: Allow popups, but limit them to dom.popup_maximum.
* 2: Block popups from plugins.
* 3: Block popups from plugins, even on whitelisted sites.
Read More
Posted in Browsers, Internet | No comments

Wednesday, 11 October 2006

Perspective of Performance and Security in IT

Posted on 23:32 by Unknown

Performance and security are like brothers in IT. They are similar and yet they fight each other at times.

Both performance and security are important inherent qualities in IT systems. Who would not want a fast and secured IT system? You want your home computer to be fast and secured. The bank CEO wants his Internet banking system to be fast and secured for his customers.

This was a very nice article on ACE Team Blog. If you wish to read more...

Here it is: http://blogs.msdn.com/ace_team/archive/2006/07/03/655524.aspx
Read More
Posted in Load Testing, Performance Testing, Security | No comments

The Oracle Global Product Security Blog

Posted on 22:01 by Unknown
Have you ever seen this?

 The Oracle Global Product Security Blog

Oracle getting committed on security by providing rating to vulnerabilities at the security blog...:)

Security researchers have criticized Oracle in the past for the time the company has taken to fix vulnerabilities.

In July 2005, security experts at Red Database Security outed six flaws, claiming that the company had more than 650 days to fix the security issues.

Peter Finnigan, who first noted the change in policy has provided a great list of tools for auditing and testing oracle databases. If you get a chance, do visit his site at :
http://www.petefinnigan.com

Read More
Posted in Security | No comments

Developing More-Secure Microsoft® ASP.NET 2.0 Applications Now Available

Posted on 21:57 by Unknown
A new book in the Secure Software Development Series, this time from Dominick Baier is now available from Microsoft Press.

It covers ASP.NET 2.0 security features as well as security defenses and design and coding best practices. There’s also a chapter on the not-so-well-understood aspect of building and deploying least-privilege and partial trust ASP.NET 2.0 applications. This is a must-read chapter for Web site hosters.

You can get more info about the book here.
Read More
Posted in Security | No comments

Monday, 9 October 2006

Posted on 01:46 by Unknown
Spoofing threats are usually associated with a wily hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security.

Tampering with data involves the malicious modification of system or user data with or without detection.

Repudiation threats are associated with users—malicious or otherwise—who can deny performing an action without administrators having any way to prove otherwise. An example of a reputability threat is a user performing an illegal operation in a system that lacks the ability to trace such operations.

Information disclosure threats involve the compromising of private or business-critical information through the exposure of that information to individuals who are not supposed to see it.

Denial of service (DoS) threats when carried out deny service to valid users—for example, by making the system temporarily unavailable or unusable or by forcing a reboot or restart of the user’s machine.

Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.
Read More
Posted in Security | No comments
Newer Posts Older Posts Home
Subscribe to: Comments (Atom)

Popular Posts

  • Preventing SQL Injection in Oracle
    There are three kinds of SQL literal: text, datetime, and numeric. Each deserves separate attention. Ensuring safety of Datetime literal Use...
  • Registrations for OWASP Mumbai Meet [31st July 15:00hrs]
    Hi All, Everyone is welcome to join us at our next chapter meet to be held on Monday , 31 st of July. Registrations for the eve...
  • Spam - It also impacts the environment
    McAfee has released The Carbon Footprint of Email Spam Report . The study looks at the global energy expended to create, store, view, and fi...
  • SQL Injection in Stored Procedure
    Let us examine SQL Injection in Stored Procedure. This would be 1 of the vulnerable cases. The Server Side Code would be something like: oCm...
  • OTP adoption from India to the US?
    One Time Password (OTP) is a password that is valid for only one login session. It is a popular authentication mechanism in India. It is ess...
  • Free Web Proxy List
    A web proxy is becoming more and more important in todays internet. Schools and Companys tend to block sites pretty quickly nowadays, especi...
  • How do you use RSA for both authentication and secrecy?
    RSA is based upon public key/private key concept. For authentication one can encrypt the hash (MD5/SHA) of the data with a private key. This...
  • SQL Injection in Stored Procedure : 2nd Case Study
    Stored procedure with dynamic SQL and embedded parameters The Stored Procedure Create proc authenticate (@uid nvarchar(25),@pwd nvarchar(25)...
  • New Rogue Security Product: Smart Antivirus 2009
    Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008 Smart Antivirus 2009 Home page Typical fake/Scare ...
  • Does the code use MapPath?
    Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ...

Categories

  • Account Lockout
  • Anti-XSS
  • Antivirus
  • Application Security
  • AppSec Conference
  • ASP.NET
  • Attacks
  • Authentication
  • Banks
  • Botnets
  • Break
  • Broadband
  • Browsers
  • Change Management
  • Citibank
  • Clear Text Secrets
  • Computer Performance
  • Computer Security
  • Credit Card
  • Cyber Security
  • Cyber Terrorism and Economy
  • Data Validation
  • Database Security
  • Defragmentation
  • Design
  • Developer Training
  • Development Tools
  • DSS
  • eCrime
  • Education
  • Encryption
  • Ettercap
  • Exchange 2007
  • facebook
  • Frauds
  • Google Hacking
  • Hacking
  • ICICI Bank
  • India Leaders
  • Internet
  • IRCTC
  • Java
  • Legal
  • Live Demo
  • Load Testing
  • Mail Security
  • Malware
  • Mastek
  • Message Security
  • Mobile Security
  • Money Laundering
  • News
  • one time password
  • Online
  • Oracle
  • OWASP
  • PC Errors
  • PCI
  • Performance Testing
  • Phishing
  • Popular Posts
  • Punishment
  • Requirement Engineering
  • Retail
  • Rouge
  • Routers
  • Rugged
  • Security
  • Security Industry
  • Security Management
  • Security Requirements
  • Security Tools
  • Sensitive Data
  • Sniffing
  • Social Networking
  • Software Industry
  • Solutions Community
  • Spams
  • SQL Injection
  • SSL
  • Sudhakar Ram
  • Summer of Code
  • SUN
  • Technology
  • Testing
  • Thick Client Security
  • Third Wave
  • Times of India
  • Typo Squatting
  • UI Security
  • University Programs
  • Virtual Keyboard
  • Virtualization
  • WCF 3.5
  • Web 2.0
  • Web Applications
  • Web Security
  • Web Services
  • WiFi
  • Windows
  • Workshops
  • X.509 Certificates
  • XSS

Blog Archive

  • ►  2011 (5)
    • ►  September (1)
    • ►  July (2)
    • ►  March (2)
  • ►  2010 (5)
    • ►  November (1)
    • ►  June (1)
    • ►  March (1)
    • ►  January (2)
  • ►  2009 (19)
    • ►  December (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  July (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (4)
    • ►  March (2)
    • ►  February (2)
    • ►  January (2)
  • ►  2008 (29)
    • ►  December (7)
    • ►  November (2)
    • ►  September (3)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  April (3)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (29)
    • ►  December (2)
    • ►  November (3)
    • ►  October (11)
    • ►  September (5)
    • ►  August (2)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ▼  2006 (36)
    • ►  December (1)
    • ►  November (3)
    • ▼  October (6)
      • Design Considerations for Security
      • Firefox popups
      • Perspective of Performance and Security in IT
      • The Oracle Global Product Security Blog
      • Developing More-Secure Microsoft® ASP.NET 2.0 Appl...
      • Spoofing threats are usually associated with a wil...
    • ►  September (3)
    • ►  August (4)
    • ►  July (3)
    • ►  June (1)
    • ►  May (5)
    • ►  April (2)
    • ►  March (4)
    • ►  February (1)
    • ►  January (3)
  • ►  2005 (20)
    • ►  December (6)
    • ►  November (14)
Powered by Blogger.

About Me

Unknown
View my complete profile