Sunday, October 18, 2009

OWASP Top 10 - #1 - Cross Site Scripting (XSS)

In another post, I said I would talk about the OWASP Top 10, which is a list of the 10 most dangerous current Web application security flaws. This list, interestingly, is built into both the PCI DSS standard as well as Shared Assessments.

#1 on the OWASP Top 10 is Cross Site Scripting (XSS), which, per OWASP is:

whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows
attackers to execute script in the victim's browser which can hijack
user sessions, deface web sites, possibly introduce worms, etc.


For more information on XSS, check out this nice FAQ.

In the next post we will cover #2 on the Top 10.

DID YOU KNOW? Shared Assessments' Application Vulnerability Assessment actually contains 11 attributes. Can you name #11?

Saturday, October 17, 2009

Cisco Tip: ip default-gateway

The ip default-gateway command is used when you need to configure a default router and IP routing is either disabled or not available (on the 2960, for example).

Aside from looking through the configuration (show run | inc default-gateway), how can you check to see that your default router has indeed been configured?

Use the show ip redirects command to see your just configured default router. Give it a try!


What is the best method for baselining your control environment?

CobiT combined with ITIL and ISO27001/2? CobiT in combination with another standard?

What are your thoughts?

Using 1Password & RoboForm can keep you safe.....cont'd

If you need further convincing about the importance of good password management, check out this recent article.

After reading this article and the Newsweek article mentioned here, it is no small wonder that 1Password is the solution to this over 30-year-old problem.

Friday, October 16, 2009

Securing your password.....and your wallet! (Using 1Password & RoboForm can keep you safe)

What do you think of when you think of security? Still thinking, right? Exactly. No surprise, then, that functionality and utility have taken the front seat when it comes to application development. Today, however, with the rampant spread of cross site scripting and sql injection attacks, not to mention the already inescapable viruses and malware that live and breathe on anything running Windows, things are starting to change.

One of the most important facets of security is your password - the key to the castle. Newsweek just came out with a great article on building a better password. But, for my money - and that's what we are really trying to protect a lot of the time when we are online - there is no better solution than 1Password. For those of you still in the unfortunate position of having to use a PC (and that is how I look at it), you can turn to a good solution like RoboForm. But, for those in the know, we use a RoboForm for the Mac, if you will.

I have written about 1Password before, so will let you read my other posts to find out about it. My point in this post is that if you want to be secure online you need to have good (at a minimum) password management. By this, I am talking about a password that is not easily going to be hacked by a brute-force attack - something not easily guessed. With 1Password, you get all of this. And, further, 1Password automatically fills all of your forms for you.

I will be writing more about security soon, but you can find out more about how to secure your Mac now with 1Password here.