background preloader

Category:OWASP Guide Project

Category:OWASP Guide Project
OWASP Developer Guide The OWASP Developer Guide 2014 is a dramatic re-write of one of OWASP's first and most downloaded projects. The focus moves from countermeasures and weaknesses to secure software engineering. Introduction The OWASP Developer Guide is the original OWASP project. The Developer Guide 2014 is a "first principles" book - it's not specific to any one language or framework, as they all borrow ideas and syntax from each other. The major themes in the Developer Guide include: Foundation Architecture Design Build Configure Operate We are re-factoring the original material from the Developer Guide 2.0, released in July 2005, and bring it into the modern world, and focus it tightly on modern web apps that use Ajax and RESTful API, and of course, mobile applications. Intended audience The primary audience for the new version of the Developer Guide is Architects and Developers. Presentation Project Leader Related Projects Ohloh Licensing

What the Internet knows about you Pragmatic Architecture: Security Ted Neward December 2006 Applies to: .NET Framework Summary: No other topic has so influenced and embroiled our industry as has the subject of security. Not to say that this influence has always been positive. We hear the statistics, read the news, and even swap the war stories at conferences and team meetings. Contents IntroductionSecure Enough Know What You Are Trying to ProtectKnow How You Are Going to Protect ItThe AnswerConclusion I mill with the rest of the group, enjoying the cocktails and free beer. "No way." I can't help myself. His smile grows large and oily. I take his card and think to myself, "What a jerk." "The most important thing is to find out what is the most important thing." –Shinryu Suzuki "Security is a process, not a product." –Bruce Schneier, Secrets and Lies: Digital Security in a Networked World Introduction No other topic has so influenced and embroiled our industry as has the subject of security. Secure Enough Know What You Are Trying to Protect It's just not true.

Sony, Rootkits and Digital Rights Management Gone Too Far - Mark's Blog Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.

A vision of enterprise platform: Security Infrastructure I have been asked how I would design a security infrastructure for my vision of an enterprise platform, and here is an initial draft of the ideas. As anything in this series, no actual code was written down to build them. What I am doing is going through the steps that I would usually go before I actually sit down and implement something. While most systems goes for the Users & Roles metaphor, I have found that this is rarely a valid approach in real enterprise scenarios. What are the requirements for this kind of an infrastructure? Performant Human understandable Flexible Ability to specify permissions using the following scheme: On a Group Individual users Based on Entity Type Specific Entity Entity group Let us give a few scenarios and then go over how we are going to solve them, shall we? A helpdesk representative can view account data, cannot edit it. The security infrastructure revolves around this interface: So, the next application that I built, I used a different approach.

Reverse Engineering de Código Cifrado En ocasiones cuando te pones a intentar analizar un fichero sospechoso de ser Malware, es posible hacerse una idea de lo que hace simplemente observando el contenido del binario. Otras veces el Malware se encuentra cifrado, por lo que únicamente podremos ver el contenido de la rutina de descifrado. Sin embargo, cualquier software que se cifra y se tiene que descifrar automáticamente sin intervención humana es necesario que almacene hardcodeada la contraseña de descifrado (o se la descargue de Internet, o por algún otro medio), así que para saber que hace este tipo de malware podemos optar por buscar la contraseña de descifrado en la rutina, o bien optar por dejar que el propio malware descifre el código y analizarlo en memoria. Lo primero es dejar que el malware se ejecute libremente, controlando con una traza de red o monitorización del equipo que su ejecución haya llegado al punto que queremos (en este caso mandar una conexión POST /forum.php).

F O R A T » Como proteger tu servidor Linux de ataques por fuerza bruta » Hace ya algunos años que tengo servidores Web online las 24 horas del día en mi casa ofreciendo servicios hacia Internet los cuales necesitan un nombre de usuario y un password para poder acceder a ellos como pueden ser el SSH o el FTP. He recibido todo tipo de ataques de algunos indeseables pero el mas frecuente es el ataque por fuerza bruta que viene a ser el uso de una lista de nombres tipo diccionario. Han habido días que han estado probando una y otra vez con una lista interminable de nombres haber si coincidían con el password de súper usuario root para hacerse con el servidor por el puerto del SSH. Hasta el día de hoy los he ido bloqueando de diferentes modos pero el que os voy a explicar esta vez es el mejor que he encontrado contra este tipo de amenazas. El manual que podéis leer a continuación es aplicable en las distribuciones Linux Debian y Linux Ubuntu ya que han sido las dos en las que he probado esta técnica siendo correcta su instalación y configuración. [ssh] [apache]

incident report for 04/09/2010 : Apache Infrastructure Team apache.org incident report for 04/09/2010 Apache.org services recently suffered a direct, targeted attack against our infrastructure, specifically the server hosting our issue-tracking software. The Apache Software Foundation uses a donated instance of Atlassian JIRA as an issue tracker for our projects. Password Security If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised. JIRA and Confluence both use a SHA-512 hash, but without a random salt. Bugzilla uses a SHA-256, including a random salt. In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them. What Happened? On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. ive got this error while browsing some projects in jira [obscured] What worked? What didn't work?

.:: Phrack Magazine ::. Top 20 OpenSSH Server Best Security Practices OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security. Default Config Files and SSH Port /etc/ssh/sshd_config - OpenSSH server configuration file. SSH Session in Action #1: Disable OpenSSH Server Workstations and laptop can work without OpenSSH server. #2: Only Use SSH Protocol 2 SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. Protocol 2 #3: Limit Users' SSH Access By default all systems user can login via SSH using their password or public key. AllowUsers root vivek jerry IgnoreRhosts yes

Related: