CGISecurity - Website and Application Security News

CGISecurity - Website and Application Security News http://www.cgisecurity.net/ http://images.cgisecurity.com/i/rss.gif All things related to website, database, SDL, and application security since 2000. en-US 2008-11-19T10:28:12-08:00 Automated security testing & its limitations http://www.cgisecurity.net/2008/11/automated-secur.html "The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given... Reviews Security Tools Robert 2008-11-19T10:28:12-08:00 Metasploit Framework 3.2 Released http://www.cgisecurity.net/2008/11/metasploit-fram.html "Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 -- The Metasploit Projectannounced today the free, world-wide availability of version 3.2 oftheir exploit development and attack framework. The latest versionis provided under a true open source software license (BSD) and is backed by a community-based development... Security Tools Robert 2008-11-19T09:33:14-08:00 Microsoft to offer free Antivirus http://www.cgisecurity.net/2008/11/microsoft-to-of.html "Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker... IndustryNews Vendors Worms Robert 2008-11-19T09:11:06-08:00 Understanding How to Use the Microsoft's Exploitability Index http://www.cgisecurity.net/2008/11/understanding-h.html "On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment... Defense SDL Vendors Robert 2008-11-18T09:58:47-08:00 Integrity-178B Secure OS Gets Highest NSA Rating, Goes Commercial http://www.cgisecurity.net/2008/11/integrity-178b.html "An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company... Defense IndustryNews Robert 2008-11-18T09:22:35-08:00 MS explains 7-year patch delay http://www.cgisecurity.net/2008/11/ms-explains-7-y.html "Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult... IndustryNews Vendors Robert 2008-11-17T10:03:57-08:00 Firefox 3.0.4 Released to address multiple security flaws http://www.cgisecurity.net/2008/11/firefox-304-rel.html A handful of security vulnerabilities have been fixed in the latest version of firefox. Fixed in Firefox 3.0.4 MFSA 2008-58 Parsing error in E4X default namespaceMFSA 2008-57 -moz-binding property bypasses security checks on codebase principalsMFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violationMFSA 2008-55 Crash and remote code execution in nsFrameManagerMFSA 2008-54 Buffer overflow in... Browsers IndustryNews Robert 2008-11-13T10:11:34-08:00 .NET Framework rootkits - backdoors inside your framework http://www.cgisecurity.net/2008/11/net-framework-r.html "The paper introduces a new method that enables an attacker to change the.NET language, and to hide malicious code inside its core. It covers various ways to develop rootkits for the .NET framework, sothat every EXE/DLL that runs on a modified Framework will behavedifferently than what it's supposed to do. Code... Research Robert 2008-11-13T09:24:51-08:00 DNS inventor blames wrangling for insecure interweb http://www.cgisecurity.net/2008/11/dns-inventor-bl.html "DNSSec (Domain Name System Security Extension), which uses digital signatures to guard against forged requests, offers a means of making internet naming systems more secure. But even 15 years after the standard was developed its adoption remains low. Mockapetris blames problems in making the technology easy to deploy, delays in developing... IndustryNews Robert 2008-11-12T12:33:50-08:00 Visa Card Features Buttons and Screen to Generate CCV Dynamically http://www.cgisecurity.net/2008/11/visa-card-featu.html A co worker sent me this link yesterday afternoon. "Using what appears to be Visa's mutant hybrid of a credit card and a pocket calculator, users can enter their PIN into the card itself and have a security code generated on the fly. The method can stop thieves in two ways.... IndustryNews Research Robert 2008-11-12T09:51:07-08:00