[REVS] The 80/20 Rule for Web Application Security

From: SecuriTeam (support_at_securiteam.com)
Date: 02/06/05

  • Next message: SecuriTeam: "[NT] RaidenHTTPD Directory Traversal"
    To: list@securiteam.com
    Date: 6 Feb 2005 17:58:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      The 80/20 Rule for Web Application Security


    The white paper linked here suggest several tools and policies with the
    intension of "Increase your security without touching the source code".

    The paper discusses several layers of security, the web server,
    application server and the application itself.


    After performing hundreds of web security assessments you're bound to
    encounter many frighteningly insecure websites. Websites so badly
    protected you could literally make off with the credit card numbers in a
    way reminiscent of the movie Gone in Sixty Seconds. On the other hand
    there are many websites frustratingly impervious to attack. What I'll
    describe below are the subtle variations between the security "haves" and
    "have-nots". Using the age old "80/20 rule", we'll look at a few
    techniques anyone can use to decrease the risk of their website being
    hacked. And to make it really easy you won't have to alter a single line
    of code!

    Download Information:
    The paper can be found at:


    The original article can be found at:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] RaidenHTTPD Directory Traversal"

    Relevant Pages

    • Antwort: RE: web browsing in production environment - a journey through comfort and security
      ... could we rely our security on such proxy servers instead ... we limit the active content of websites via microsoft group policies. ... Securing Apache Web Server with thawte Digital Certificate ...
    • Malicious Code On Rise: Web Sites Responsible
      ... In the first quarter of 2007, security firm Sophos ... day infected with so-called malware. ... The report was released during InfoSec, ... Sophos reported that 70% of infected websites were legitimate sites ...
    • Re: IE6 will not Open Certain Secure Webpages
      ... the Spybot and AVG Scans are clear. ... > If you can access all other secure websites except one, ... > If you have SpyBot or other 3rd party programs that have Security blocking, ... > will be blocking ActiveX ...
    • RE: Login Failure to Frontpage Admin
      ... compromise security to my websites and my server as the follwing procedure ... did popup a security message. ... My websites by default were ALL set to "Integrated Windows Authentication" ...
    • Re: Images in O.E. have Red X in a small box
      ... The reason for this is that spammers were embedding 1 pixel images ... So by blocking external content such as images linked to websites, ... Security and uncheck the block image box to allow for the image to be then ...