Penetration testing is as popular as ever, yet it continues to miss the mark. As a means of validating the security of an application system, it fails miserably on several counts.
I continue to find organizations that make extensive use of penetration testing as their primary means of security testing systems before they go live, or periodically while they are in production. There are a myriad of problems with this approach, but I’d like to address one particular here that you likely haven’t considered.
This article looks at some of the issues with doing penetration testing. Do you do penetration testing on your applications?
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
This article looks at the web testing framework live CD called Samurai. It has some interesting features so, check it out. Do you use any other Linux security live CD's?
Today we're going to take a look at a topic that most people are probably familiar with to one degree or another. To use the dictionary definition, steganography is the art of "hiding a secret message within a larger one in such a way that others can not discern the presence or contents of the hidden message."
I find steganography to be an interesting part of computer security. It's not as popular as encryptions but it does have some uses. This article discusses the basics of this technology.
The Metasploit Project develops a set of security tools to create and execute exploit code on remote computers. Some people say Metasploit makes the job easier for black hat hackers who attack networks looking for vulnerabilities to take advantage of; others says the tool helps network security administrators do a better job of finding and repairing weaknesses before the bad guys get to them. H.D. Moore, the 20-something creator of the Metasploit Project, says it all depends on your perspective.
Have you ever used Metasploit? This article looks at the creator of Metasploit H.D. Moore and how he started this project.
Support for Ajax and JavaScript takes the pain out of Web-form validation.
Writing code to validate Web-form input can be even more of a chore than implementing form-processing logic. But help is at hand, thanks to the Struts 2 framework. Oleg Mikheev looks under the hood of the Struts 2 validation mechanism and shows you how its Java, JavaScript, and Ajax support can take the pain out of Web-form validation.
Do you take the time to validate your Ajax applications? This ariticle looks at way you can use the Struts 2 Framework to help.
Companies can actually worsen their risks by failing to take these commonsense approaches to security.Many companies spend a small fortune and deploy a small army to secure themselves from the many security threats lurking these days. But all those efforts can come to naught when making any of these common mistakes. The results can range from embarrassing to devastating, but security experts say that all are easily avoidable.
This is a list of common security risks computer user's should never do. Have you ever mistakenly done?
This is a fairly interesting subject I think as a lot of people still ask me if they are entering the security field if they still need to learn Assembly Language or not?
For those that aren’t what it is, it’s pretty much the lowest level programming languages computers understand without resorting to simply 1’s and 0’s.
This article asks the question do security experts still need to learn assembly programming? What do you think?
Work on the Fedora infrastructure has returned to normal at this point.
Updates are once again available for Fedora 8 and Fedora 9, our current
releases, using the new package signing key we've implemented. To read
more about the new package signing key, refer to:
https://fedoraproject.org/wiki/New_signing_key, and
https://fedoraproject.org/wiki/Enabling_new_signing_key.
In addition, Rawhide has returned to service, as well as our other
services such as Fedora Hosted.
Looks like the people behind the Fedora project are continuing to investigate the security issue they were having. What do you think will be the result of this investigation?
Coworkers at the University of Tel Aviv have presented a prototype for a new host-based intrusion detection system (HIDS) for Linux. Named Korset, it uses static code analysis and promises zero failures.
A host-based intrusion system (HIDS) models an application’s behavior and if the behavior deviates from the model, it sends an alarm. Earlier methods of intrusion detection depended either on static data derived from machine learning or on program policies created by developers. In the views of Professor Avishai Wool and kernel developer Ohad Ben-Cohen, the first method is susceptible to false positives and the second one costly.
If you are interested in Linux intrusion detection check out this article. It discusses host-based intrusion system (HIDS) models.
There is a saying in the security world that the only truly safe computer system is one that is disconnected from the network, switched off and buried six feet under ground. The sentiment may be somewhat true but it is hardly a practical solution to the problems we face today in protecting servers and desktops from outside intrusion.
There are more computer systems connected to the internet either directly or via local area networks than at any time in the history of technology and the numbers are growing at a rapid rate.
This article is a great guide to anyone that wants to learn more about Linux security. It goes into detail about the basic ways to help secure your Linux machine for example, firewalls and protecting services.