Blog

Techniques in Attacking and Defending XML/Web Services November 13

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

Firewalls are not aware of the xml content
Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
WSDL exposes the schema and message structure
Injection attacks are possible via the XML parameters
Data replay is still possible
Denial of service is still possible, especially with parameters

The OWASP Top 10 Vulnerabilities for 2010 (release candidate 1) November 13

The OWASP Top 10 is a set of classes of vulnerabilities that are very high risk. They are provided as a tool that application developers can use to judge whether their application meets best practices based on whether or not it has facilities to deal with these top 10 items.

The Internet's 10 most dangerous people you don't know November 13

rsnake

Robert Hansen (who actually wore a suit, which was quite surprising to me) gave out a list of 10 people he thought were the most dangerous people for the internet that you don't actually know. These are people responsible for infrastructure or services that are important to the safety and ongoing functionality and yet are not generally recognized as important/dangerous people.

10. Network engineer at C|Net

Scalable application assessments in the enterprise November 13

Tom Parker & Lars Ewe of Cenzic discussed automated and manual testing and how to scale those practices to large enterprises.

One big question they posed was "How often are you scanning your applications?" And the basic point is, we don't run virus scanners one time we run them regularly and the same should apply to application scanners.

They contend that there are two major schools about scanning

Automated testing is the only practical and financially scalable solution.
Manual testing is the only valid solution.

Application security beyond the scanner monkey November 13

Matt Fisher of Piscis Security gave a discussion about security beyond the "scanner monkey" phase. Scanner monkeys being people who run a scanner tool, get the output, and think they are done with a vulnerability assessment. There are more and more scanners - commercial, proprietary, and open source - and yet they are no longer good enough.

The scanners only start the process, they don't end it.
The person running the scanner is likely not talented enough to configure it properly.

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Get your copy now.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Service

If you are concerned about whether your site is secure, consider using the Security Review Module to get an initial sense. If you're looking for something much more in depth than a module or a book, Growing Venture Solutions offers a Security Review Service for Drupal Sites.

Recent Blog Posts

Mitigation against CVE-2010-1584 Drupal Context Module XSS

Posted by greggles

4 comments
Zerodayscan and Drupal: finding bugs for fame

Posted by greggles

0 comments
Creating a sanitized Drupal database dump

Posted by greggles

8 comments