The problem of standard vulnerability management is well known, Windows patches come out the second Tuesday of every month and then it’s a scramble to figure out which ones have to be applied to which systems and if they...

How to Test for SQL Injection Bugs - Step 3

by Serge Truth on January 25, 2011 at 9:44 AM

SQL Injection is a common type of web database related vulnerability.   SQL injection is common to web site applications that interact with a database backend.  These sites construct SQL commands or queries based on user...

How to Test for SQL Injection Bugs - Step 2

by Serge Truth on January 18, 2011 at 9:46 AM

SQL Injection is a common type of web database related vulnerability.   SQL injection is common to web site applications that interact with a database backend.  These sites construct SQL commands or queries based on user...

How to Test for SQL Injection Bugs - Step 1

by Serge Truth on January 11, 2011 at 9:47 AM

SQL Injection is a common type of web database related vulnerability.   SQL injection is common to web site applications that interact with a database backend.  These sites construct SQL commands or queries based on user...

Centralize Logging

by Serge Truth on January 6, 2011 at 9:49 AM

Here is another article to keep up with the theme of centralizing information security functionality. The security functions that may be centralized effectively are: input and data validation, auditing and logging, and error...

Constrain, Reject, and Sanitize Input

by Serge Truth on December 28, 2010 at 9:50 AM

The preferred approach to validating input is to constrain what you allow from the beginning. It is much easier to validate data for known valid types, patterns, and ranges than it is to validate data by looking for known...

Protect your Administration Interfaces

by Serge Truth on December 21, 2010 at 9:53 AM

It is important that configuration management functionality is accessible only by authorized operators and administrators. A key part is to enforce strong authentication over your administration interfaces, for example, by...

Last week, I grumbled over the fact that a student can graduate with a Computer Science and Software Engineering degree and had zero exposure to software security . Huh?  Doesn’t our society and business literally run on...

For years everyone from Mary Ann Davidson (CSO or Oracle) to OWASP to DHS (in their “Build Security In” initiative with SEI) have been bemoaning the fact that our universities do not adequately train software engineering...

Identify Security Objectives for Applications

by Serge Truth on December 17, 2010 at 9:58 AM

When developing an application, it is best to define security objectives and requirements early in the process. Security objectives are goals and constraints that affect the confidentiality, integrity, and availability of...