How Red Teams Hack Your Site To Save It
Nerval's Lobster writes "The use of a Red Team and penetration testing can strengthen an organization's security posture. But how does a Red Team member actually think like an attacker, and use that mindset to exploit security vulnerabilities? Gillis Jones works for WhiteHat Security, where his job rests within the TRC (Threat Research Center). It's here that he performs hands-on site assessments, which involve manually confirming all the issues reported by an automatic scan of a particular Website or application. His job includes checking the application's POST and GET requests for reflection of any inputs. He also checks for Cross-Site Scripting (XSS), which includes stored, reflected, and DOM XSS vulnerabilities. Those checks let him determine the Website’s basic security posture. If user input isn’t encoded or sanitized, that’s a good indicator of other problems. And if that’s the case, then Jones (or someone like him) will move on to checking for SQL Injection (SQLi) vulnerabilities ...
applications
assessment
center
dom
gillis
jones
lobster
nerval
organization
penetration
red
reflection
security vulnerabilities
sql injection
sqli
trc
whitehat
xss
Found more than 1 month ago on channel
Slashdot
QuickTime for Windows updated to close security holes
Version 7.7.3 of Apple's QuickTime media player for Windows addresses nine security vulnerabilities, all of which could be exploited to crash the application or execute arbitrary code
apple
applications
quicktime
security vulnerabilities
windows
Cisco closes holes in its VPN client and security appliances
The network equipment manufacturer is warning its customers of various security vulnerabilities in its AnyConnect VPN Client, Adaptive Security Appliances, Catalyst ASA Services Module and Application Control Engine (ACE) software
ace
anyconnect
appliances
applications
asa
catalyst
cisco
equipment
security vulnerabilities
service
vpn
The Cost of Crappy Security In Software Infrastructure
blackbearnh writes "Everyone these days knows that you have to double- and triple-check your code for security vulnerabilities, and make sure your servers are locked down as tight as you can. But why? Because our underlying operating systems, languages, and platforms do such a crappy job of protecting us from ourselves. The inevitable result of clamoring for new features, rather than demanding rock-solid infrastructure, is that the developer community wastes huge amounts of time protecting their applications from exploits that should never be possible in the first place. The next time you hear about a site that gets pwned by a buffer overrun exploit, don't think 'stupid developers!', think 'stupid industry!'"
applications
community
security vulnerabilities
Found more than 1 month ago on channel
Slashdot