Main | June 2007 »

May 2007

May 30, 2007

Playing in the Sandbox

According to this eWeek article, Google has just bought Internet security startup GreenBorder Technologies Inc.

Here’s an excerpt from the article:

GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.

The article then goes on to describe the technology:

The technology creates a secure zone, called a sandbox, for online interaction. "Any type of activity and interaction, while you are on the Internet, will be directed to the protected environment," according to GreenBorder's site.

Out of the many ways to protect end users from malware, viruses and other types of malicious content, I am a strong supporter of this specific positive approach, and am very surprised (and saddened) to see that desktop anti-virus vendors have mostly decided to disregard this approach, and stick mainly to negative (signature-based) solutions.

Continue reading "Playing in the Sandbox" »

Posted by on May 30, 2007 in Info Bits | | Comments (2) | TrackBack (1)

| |

May 29, 2007

What The Fuzz Are You Talking About?!

Last week, I attended the OWASP (Israel) mini-conference, which included some very interesting presentations (one of which was our own Overtaking Google Desktop).

One specific presentation that caught my attention was "Fuzzing in Microsoft and FuzzGuru framework". The presentation was given by John Neystadt, Microsoft’s lead program manager for the Forefront Edge product (aka ISA server).

Continue reading "What The Fuzz Are You Talking About?!" »

Posted by on May 29, 2007 in Info Bits | | Comments (0) | TrackBack (0)

| |

May 28, 2007

Man Vs. Machine

Or: how to avoid the Assembly Line Syndrome

Recently, I’ve heard several security experts talk about the efficiency of automated web application scanners. Specifically, they raise claims that automated scanners are only good for:


  • "Low Hanging Fruits" vulnerabilities
  • "Technical vulnerabilities"

They all say that automated scanners cannot handle the "logical vulnerabilities". I thought it might be a good time/place to explain the difference between the types of vulnerabilities, and to explain why I think that every healthy security review of an application, should always contain both automated and manual assessments.

Continue reading "Man Vs. Machine" »

Posted by on May 28, 2007 in Web Application Scanners | | Comments (5) | TrackBack (0)

| |

May 27, 2007

There's a reason they call it the OWASP Top 10

During the time I have spent in the security industry, I have seen many hypes come and go (Gartner call it Hype Cycles).


Gartner's Hype Cycle Graph
Gartner's Hype Cycle Graph

Here are a few examples from our own field:

Frankly, I believe that each of the aforementioned topics deserves the market's attention, but not in the form of a hype.

Continue reading "There's a reason they call it the OWASP Top 10" »

Posted by on May 27, 2007 in Hypes | | Comments (0) | TrackBack (0)

| |

May 18, 2007

Threat Classification

or: How I Learned to Stop Worrying and Love Web Application Threat Classifications

While working on the WASC Threat Classification v2.0 project, I got to think about the subject of classifying web application threats once again… You see, I have been dealing with Web Application Security Threat Classification since I started working on AppScan, approximately 7 years ago. back then (the Sanctum days), things were a lot simpler, the threat classes that were used in the product and in presentations, were proprietary, and were invented mainly for educational and marketing purposes.

Continue reading "Threat Classification" »

Posted by on May 18, 2007 in Web Application Threat Classification | | Comments (0) | TrackBack (0)

| |

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan