Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed. Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons. As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being... Read more →
44 posts categorized "Software Development"
25 September 2008
Proxy Caches are a Challenging Threat to Internet Security
Posted by Tim Bass on 25 September 2008 at 02:39 PM in IT Security, Software Development | Permalink
|
Comments (5)
|
TrackBack (0)
24 August 2008
The Looming Dangers of Security Vulnerability Sensationalism
I am feeling a bit "long in the tooth" today, because like many of our honorable colleagues here at the (ISC)² blog, I remember computer security before there was an (ISC)² and before there was a World-Wide-Web. Yes, there was security professionals before terms like "firewalls" became popular, believe-it-or-not. Back in "the old days" we had to set up sniffers on both sides of a router to figure out how to set up access control lists. If we needed to change the passwords on all our network devices when someone left our "big telecom company" we launched a shell script,... Read more →
Posted by Tim Bass on 24 August 2008 at 11:15 AM in IT Security, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
08 August 2008
Malware trends
The anti-malware company I work for has just published its half-yearly report on threat trends, based on automated malware tracking systems. Already I hear the more cynical among you muttering "Aha! Product pitch!" and, of course, this kind of document does have a marketing purpose. However, at 50-odd pages, it's a bit more than a press release, and many of those pages actually consist of near-raw localized data (included for the benefit of our distributors). All that aside, there are some conclusions that may interest you. Well, they interested me - just as well, considering how long I spent on... Read more →
Posted by David Harley on 08 August 2008 at 11:01 AM in IT Security, Malware, Software Development | Permalink
|
Comments (1)
|
TrackBack (0)
13 May 2008
How did you learn your trade?
A study examined course descriptions on UK university websites to determine the amount of IT security content in undergraduate IT courses: "The vast majority of UK computing students receive virtually no security training when it comes to designing and developing new software applications, according to government funded research. Less than 20 per cent of all computing undergraduates in the UK receive more than five hours training in incorporating security functionality over the three to four year duration of their course. This was according to research by the Cyber Security Knowledge Transfer Network(KTN), which was created in 2006 by the government's... Read more →
Posted by Gary Hinson on 13 May 2008 at 06:36 PM in Cybersecurity Certifications, Cybersecurity Training, IT Security, Software Development | Permalink
|
Comments (3)
|
TrackBack (0)
Search
Categories
- (ISC)² Chapters (22)
- (ISC)² Events (159)
- Center for Cyber Safety and Education (52)
- Cloud Security (132)
- Cybersecurity Certifications (376)
- Cybersecurity Training (310)
- Cybersecurity Workforce (243)
- Digital Forensics (29)
- Ethics (52)
- Government (124)
- Insider Risk (56)
- IT Security (373)
- Legal (45)
- Malware (112)
- Network Security (176)
- Operations Security (141)
- Privacy (116)
- Ransomware (84)
- Risk (196)
- Software Development (44)
- Spotlight (71)