Security Projects
We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
Tom Bicer wrote in to tell us about some interesting development amongst the SSL certificate providers. Comodo made a press release announcing that they found some vulnerabilities related to Verisign's certificate and had advised Verisign on the vulnerabilities.
The Public Interest Registry, which operates the .org generic top-level domain, announced today that it has completed deployment of Domain Name System Security Extensions, which provide an additional level of security to the DNS. The full deployment tops off a two-year deployment and testing period of DNSSEC in 18 live
The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities. It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP
Firefox users worried about Internet eavesdropping are being offered a new way to encrypt their interaction with a range of popular websites, including Facebook and Twitter.
Even as he referred to the "cost of transparency" uncovered by his research, Sam Ransbotham, a professor at Carroll School of Management, acknowledged that "the transparency benefits far outweigh this cost. ... The challenge for open source communities is to maintain the benefits while mitigating the downsides."
Organizations that are in the process or considering migrating to Linux on System z look to a variety of sources for
Security experts agree that there's something wrong with the software development process, but there are differing opinions on how to solve the problem. It's another day in the life of a security pro -- or a hacker. Much of your time is spent searching applications for that one weak point, the one that will lead to the breach of sensitive data. And nearly every day, somebody finds one. Or more.
Apple's reputation for security continues to take hits as hacker group Goatse Security this week accused the company of failing to patch a flaw in Safari -- known since March -- and rendering iPads susceptible to active exploits in the hundreds, if not thousands.
Renowned security researcher Dan Kaminsky today went public with the launch of a new venture as well as its first deliverable -- a tool for application developers that helps prevent pervasive string injection-type attacks, such as SQL injection and cross-site scripting (XSS).
I am a fan of modsecurity (//) as a fast and cheap way to get decent protection for application layer attacks. But, as you know, risks are increasing and when the risk analysis performed to your organization shows that application disruptions have a big impact to the core business, it's time to strengthen controls and think about delivering protection from the code itself.
Webmasters running unfinished modules for Drupal do so at their own risk after the open-source CMS updated its guidelines on fixing security vulnerabilities.
Researchers have released software that exposes private information and executes arbitrary code on sensitive websites by exploiting weaknesses in a widely used web development technology.
Google has paid out its highest sum yet, $2,000, for the discovery of a vulnerability found in its Chrome browser. The recipient is developer Sergey Glazunov, who found a DOM method-related means of circumventing the same origin policy.
The IT Department where Daniel Toth works won't let him use open source software because they believe it's a security risk. Is it? No. If anything, open-source software has the potential to be safer. Not that it always is, of course.
The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years' worth of attack data. The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities.
Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg.
Looking for ideas to improve how code security is done in your enterprise? Here are several. Code security is something companies have struggled with for some time. In the rush to make new websites and applications available to customers, vulnerabilities are inevitably left behind.
FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc
Are you responsible for one or more Windows computers? If yes then the odds are really good that you have had to deal with cleaning viruses and malware. Did you know F-Secure offers a free Rescue CD built on Knoppix for just this purpose? Let's take a look at how easy the F-Secure Rescue CD is to use.
The short answer: Updates are worthless if one does not apply them. Once again I find myself cleaning malware off of a home user