The Information Security community has been buzzing this week with talk of the newly released CWE/SANS Top 25 Most Dangerous Programming Errors. The goal of the report is to identify not just security vulnerabilities (think OSASP Top Ten), but the programming errors that create those holes. Read the rest of this entry »2 Comments »
Here is a short and sweet list of free IIS security tools by Kevin Beaver @ TechTarget (he wrote the classic Hacking for Dummies):
Port80’s HeaderCheck and other free HTTP analysis tools are mentioned in there as well (toot-toot goes the horn), but it is a useful list of tools. And free is nice, given the price of gas and all!
PS Our Deal Packs are not “free“, but they are a little lighter on the ol’ budget — check them out at http://www.port80software.com/deals/.No Comments »
The recent wave of SQL injection attacks has made mainstream news, just in case you have not seen it:
Jeremiah Grossman and others have made the point, accurately, that this is not a Microsoft IIS Web server issue, but rather that Web developers not adhering to security best practices are to blame (for shame, it is not like we have enough to do already!):
Security expert: Don’t blame Microsoft for mass site defacements
To solve this puzzle, look no further than controlling parameters, permissions and sanitizing your inputs with a Web application firewall or WAF like ServerDefender AI or the upcoming ServerDefender VP. Yes, you can learn to write more secure code, but why wait to get protected or deal with recoding legacy bits? Get a WAF, and get PCI complaint, something we all need to be focusing on now.