Posts Tagged ‘Security’
It’s been nearly three years since many of us estimated that 9 out of 10 sites had at least one flaw while most had more. I have not been to active in the security world as of late ( though this will change soon! ), but I would have hoped we would have made some sort of progress. It seems XSS is still amazingly pervasive and CSRF; the now waking giant, is not far behind.
As Darkreading reports, WhiteHat has issued a press release which states that around 9 of 10 sites have at least one vulnerability while the average site has around six or seven. I rarely seen WAF’s as the solution, but even over a few years — nearly eternity for the internet, little to no progress has been obviously made. So, perhaps it is finally time. In the whitehat’s defense though, the odds are amazingly against them. Over a hundred million sites operate now. That 1 of 10 sites that is safe is often brochure-ware. A site with little or no interactivity; static html on secure servers.
Perhaps we ARE making developers more security-minded and making progress. I do remember saying this awhile back.
Many sites are vulnerable to XSS, and since all Websites change, eventually another XSS hole will probably open up on sites previously thought [of as] safe.
This seems to remain fairly true today. The very nature of interactive websites tied along with them being revamped fairly often, means that it’s all very dynamic, thus apparently; very insecure.
Oh well. At least with my inactivity as of late, I won’t be heading to an early grave.…
There is nothing new at all from a security perspective in this article, but it really lives up to it’s name as an introduction to Web App Sec. It points out a few things we already knew, such as the scary fact that up to 80 percent of all websites suffer from some sort of vulnerability. The ones that don’t are mostly static html sites and have no complex backend, ‘brochure-ware’ as the article calls it.
It also elaborates on some of the issues that must be faced, such as a need for secure coding. It’s pretty bad practice in most cases,(but not all) to just slap on a WAF and hope for the best. As this quote points out..
Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It’s better to look for the bugs and fix them than to simply cross your fingers and hope that they aren’t there.
So all in all, if you’re a frustrated web app sec guy, this is a great article to show the higher ups. Murky indeed. As RSnake would say, clear as mud?
of the browser. Probably because the browser gets updated and the site is
using the visited: CSS if you visit it in once instance. Anyways, interesting stuff. Don’t forget to get the XSS book tomorrow!
Also, I’ve set up a new forum on one of my spare machines.
It’s not particularly secure right now as it’s using Debian packages. They tend to be a little out of date. But at least it’s stable. I’ll be making semi-regular backups, so it won’t be a huge issue if it’s hacked. Assuming your DNS updated by the time you read this, it should be at Kyran.ca. You’ll probably also notice the banner on the right. Yup. Easier sign-up for e-mails @kyran.ca
There was an article going around on a few sites today about Acunetix stating that 70% of websites are at immediate risk of being breached. Soon after, Joe Snyder not only disputed this claim, but bet Acunetix 1000$ they couldn’t compromise 3 out of 10 sites. I could use a thousand bucks and I bet even randomly selected I could get at least 5 out of 10 sites. RSnake wrote a post with a bit more info.
Also, Iwatsu selected Opera for use in their new VoIP phone. From the press release,
PRECOT (Premium Communication Tool) is a next generation solution over a broadband IP connection for the enterprise market. With Opera, PRECOT users can access Web mail or any Web page from the convenience of their screen phones.
It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.
Too bad I dislike phones.