The IBM Application Security Insider is a blog devoted to dissecting today’s latest industry trends, observations and evolving threats in the growing web application security industry.
The IBM AppScan portfolio provides web application security and compliance solutions that pinpoint vulnerabilities and helps manage the process of fixing them.
According to this eWeek article, Google has just bought Internet security startup GreenBorder Technologies Inc.
Here’s an excerpt from the article:
GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.
The article then goes on to describe the technology:
The technology creates a secure zone, called a sandbox, for online interaction. "Any type of activity and interaction, while you are on the Internet, will be directed to the protected environment," according to GreenBorder's site.
Out of the many ways to protect end users from malware, viruses and other types of malicious content, I am a strong supporter of this specific positive approach, and am very surprised (and saddened) to see that desktop anti-virus vendors have mostly decided to disregard this approach, and stick mainly to negative (signature-based) solutions.
Recently, I’ve heard several security experts talk about the efficiency of automated web application scanners. Specifically, they raise claims that automated scanners are only good for:
"Low Hanging Fruits" vulnerabilities
"Technical vulnerabilities"
They all say that automated scanners cannot handle the "logical vulnerabilities". I thought it might be a good time/place to explain the difference between the types of vulnerabilities, and to explain why I think that every healthy security review of an application, should always contain both automated and manual assessments.
or: How I Learned to Stop Worrying and Love Web Application Threat Classifications
While working on the WASC Threat Classification v2.0 project, I got to think about the subject of classifying web application threats once again…
You see, I have been dealing with Web Application Security Threat Classification since I started working on AppScan, approximately 7 years ago. back then (the Sanctum days), things were a lot simpler, the threat classes that were used in the product and in presentations, were proprietary, and were invented mainly for educational and marketing purposes.
