Adobe RoboHelp XSS
Filed under: Security
Adobe announce yesterday that they have made available 2 updates for the Adobe RoboHelp product. There were multiple cross site scripting (XSS) and content spoofing vulnerabilities that were patched. Adobe has details about the update and the patch available at: http://www.adobe.com/support/security/bulletins/apsb10-23.html. It is recommended to update your RoboHelp installations and re-deploy ...
SQL Injection: Common Mistake
Filed under: Security
One of the most common suggestions for remediating SQL Injection vulnerabilities is to use stored procedures. Using stored procedures can help decrease the risk of SQL Injection, but if implemented incorrectly, it can create a false sense of security. For example, look at the created stored procedure below: CREATE PROCEDURE dbo.usp_IsValidUser ( @UserName ...
Frame Busting
An often overlooked security feature for a web application is to not allow the application (especially the login screen) to be embedded in a frame. This is often referred to “frame bustingâ€. In some browsers, it is possible to capture the keystrokes in one frame, from the parent window. This would be a problem with ...
Microsoft SDL Version 5 Released
Filed under: Development, Security
The latest update to Microsoft's Security Development Lifecycle (SDL) was released on March 31, 2010. You can download the Microsoft SDL V. 5 from here. This version has many updates around agile SDL practices. Building a secure SDLC is a priority concern for many development organizations today. Microsoft ...
ASP.Net Custom Headers
Filed under: Development, Security
Have you ever taken the time to look at the headers that are returned from your ASP.Net application? If you have, you may have noticed the following two headers that are added for ASP.Net: X-Powered-By: ASP.Net X-AspNet-Version: x.x.xxxx (the version of .Net used for the application) Many people ask how to remove these two headers from the ...
Security Abstraction: How much is too much?
Filed under: Development, Security
I was having a conversation the other morning with a colleague and we were discussing how much security an enterprise web application developer should be exposed to. This topic has come up in numerous conversations over the past year or so and it is still debatable. The question is how much abstraction should, ...
Simplified SDL
Filed under: Development, Security
Last week Microsoft provided a document outlining a 'Simplified Implementation of the Microsoft SDL'. This document provides the required information for minimum SDL compliance. At 17 pages, it is a quick, yet detailed, read. The Secure Development Lifecycle is not just for Microsoft projects, and can be used with any language. Microsoft has even updated ...
Securing If Statements
Filed under: Development, Security
While recently reviewing the details of the GSSP-.NET certification, I came across the topic of “securely formed if and while statements.†At first, I was a little confused about what this really meant. I believe that a securely formed ‘if’ statement would be one that has the constant on the left, rather than the right. ...
HTMLAttributeEncode Framework differences
Filed under: Development, Security
I have done a few posts regarding Cross Site Scripting and how to protect against it. I came across an interesting item today comparing the output of HTMLAttributeEncode between .Net 1.1 and 2.0+. I thought it would be a good idea to dig a little deeper into how the encoding really works. The .Net 1.1 ...
Microsoft Introduces Quick Security References
Filed under: Security
Yesterday, Microsoft released two new Quick Security References (QSR’s) to help application development teams understand Security issues. These new guides are the first part of a continuing series to help multiple roles within the team understand common vulnerabilities. Not only do they provide great detail on the security issues, but they also help teams move ...
Follow Us
