[REVS] The 80/20 Rule for Web Application Security

From: SecuriTeam (support_at_securiteam.com)
Date: 02/06/05

  • Next message: SecuriTeam: "[NT] RaidenHTTPD Directory Traversal"
    To: list@securiteam.com
    Date: 6 Feb 2005 17:58:13 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      The 80/20 Rule for Web Application Security
    ------------------------------------------------------------------------

    SUMMARY

    The white paper linked here suggest several tools and policies with the
    intension of "Increase your security without touching the source code".

    The paper discusses several layers of security, the web server,
    application server and the application itself.

    DETAILS

    Introduction:
    After performing hundreds of web security assessments you're bound to
    encounter many frighteningly insecure websites. Websites so badly
    protected you could literally make off with the credit card numbers in a
    way reminiscent of the movie Gone in Sixty Seconds. On the other hand
    there are many websites frustratingly impervious to attack. What I'll
    describe below are the subtle variations between the security "haves" and
    "have-nots". Using the age old "80/20 rule", we'll look at a few
    techniques anyone can use to decrease the risk of their website being
    hacked. And to make it really easy you won't have to alter a single line
    of code!

    Download Information:
    The paper can be found at:
    <http://www.webappsec.org/articles/013105.html>
    http://www.webappsec.org/articles/013105.html

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.webappsec.org/articles/013105.html>
    http://www.webappsec.org/articles/013105.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] RaidenHTTPD Directory Traversal"