Application Security Architecture Authentication
CertificationsCorporate ComplianceCryptology
Disaster RecoveryEnterprise SecurityExploits
FirewallsIncident HandlingIntrusion Detection
OS SecurityPolicies and ProceduresSecurity Basics
Security ManagementSecurity ToolsServers
StandardsVoIPVulnerability Management
Web SecurityWiFi SecurityWorms and Viruses

iOS Security

by Apple

iOS and iOS devices provide advanced security features, and yet they’re also easy to use. Many of these features are enabled by default, so IT departments don’t need to perform extensive configurations. And key security features like device encryption aren’t configurable, so users can’t disable them by mistake. Other features, such as Touch ID, enhance the user experience by making it simpler and more intuitive to secure the device.
This document provides details about how security technology and features are implemented within the iOS platform. It will also help organizations combine iOS platform security technology and features with their own policies and procedures to meet their specific security needs.
» Read more

Hardening Oracle Database with Oracle Solaris Security Technologies

by Oracle

This white paper describes and demonstrates how commodity Oracle Solaris operating system security features can be used to lock down network-facing services in order to protect them against internal and external threats. Technology concepts and their realizations are presented in a hands-on fashion using a running example: Oracle Database Server 11g Release 2 executing on Oracle Solaris 10 10/09.
» Read more

Moving Toward Better Security Testing of Software for Financial Services

by Steve Kosten

The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types–web applications, mobile applications, internal web services and so forth–are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.
» Read more

Using Cloud Deployment to Jump-Start Application Security

by Adam Shostack

The cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.
» Read more

Security by Design: The Role of Vulnerability Scanning in Web App Security

by Barbara Filkins

The growth in custom applications in the cloud has increased organizations’ security exposure. Although more organizations want to test and remediate during development, this doesn’t address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.
» Read more

Testing Web Apps with Dynamic Scanning in Development and Operations

by Barbara Filkins

Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.
» Read more

Asking the Right Questions: A Buyer’s Guide to Dynamic Scanning to Secure Web Applications

by Barbara Filkins

Once an organization has made the decision to invest in dynamic application security testing (DAST) to support its application security program—potentially across all phases of the software development life cycle (SDLC), including production—the next challenge becomes how to proceed. What is the best process to determine and procure what is really needed?
For this reason, SANS has developed a buyer’s guide for procurement of a DAST solution, whether as a product or software-as-a-service (SaaS). This guide will lay out an effective process to evaluate, select and implement the best solution that can be followed by any organization, large or small.
This guide provides a four-step method, for acquiring the solution you need to enable your organization’s use of DAST.
» Read more

Hackproofing Oracle eBusiness Suite

by David Litchfield

A recent security review by David Litchfield of Oracle’s eBusiness Suite (fully patched) revealed it is vulnerable to a number of (unauthenticated) remote code execution flaws, a slew of SQL injection vulnerabilities and Cross Site Scripting bugs. Used by large corporations across the globe the question becomes how does one secure this product given its weaknesses. This talk will examine those weakness with demonstration exploits then look at how one can protect their systems against these attacks.
» Read more

Web Application Firewalls: Analysis of Detection Logic

by Vladimir Ivanov

This presentation highlights the core of Web Application Firewall detection logic and accentuates the regular expressions detection mechanism. Other highlights include the use of the Static Application Security Testing (SAST) tool for Regular Expressions analysis, aiming to find security flaws in the syntax of regular expressions. Using the proposed “regex security cheat sheet”, rules from popular WAFs will be examined. Logical flaws in regular expressions will be demonstrated by applying author’s bug hunting experience and best practices.
» Read more

Watch out workers, it just got easier to sift your Instant Messages

chat

Employees who want to speak on the sly have often turned to email: it’s a quick, discreet way to gossip about a colleague, and also to engage in more serious conspiracies. These days, though, it’s instant messaging – in the form of Gchat or Skype or Slack – where many workers go to swap ideas and opinions with their colleagues.

But while employees may like the fast, breezy format of “IMing,” the rise of instant messages have proved a headache for company bosses and lawyers. Unlike worker emails, which are easy for higher ups to locate and peer in on (yes, they can do that), instant messages are a motley jumble of data that is hard to parse.
» Read more