In December 2009, Google, Adobe and other companies were the victims of a damaging cyberattack called Operation Aurora. In this tip, expert Nick Lewis outlines the lessons learned from this attack, and how companies can avoid falling victim to similar attacks.
Jeff Williams, a co-author of the OWASP Top 10 List, explains some of the changes incorporated into the latest version. The list was updated for the first time in 3 years.
2010 Top 10 List:
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
K. Scott Morrison, CTO and chief architect at Layer 7 Technologies talks about some of issues hindering adoption of cloud computing. Also, Wade Baker of Verizon on that firms new security incident framework.
A brief look at the Pwn2Own hacker contest at the CanSecWest Applied Security Conference in Vancouver, BC. Also Department of Education CISO Phil Loranger on encryption.
From buffer overflows to SQL injection, hackers have many techniques at their disposal to attack Web applications, and new methods constantly emerge. This week’s podcast edition of Threat Monitor highlights one of the tips from this special Web application attack security guide, entitled: Prevent cross-site scripting hacks with tools, testing.
The editorial team recalls the themes and discussions that dominated the 2010 RSA Conference. Federal cybersecurity issues ruled with the debut of White House cybersecurity coordinator Howard Schmidt. Microsoft’s Scott Charney explained the legal action the software giant took to disrupt the Waledac botnet. Also, attendees showed interest in social networking security. In addition, the convergence of cloud computing and identity management was showcased.
Check out the RSA Conference 2010 news coverage.
Social networking risks, benefits for enterprises weighed by RSA panel
White House declassifies CNCI summary, lifts veil on security initiatives
Dan Kaminsky of IO Active explains the benefits of DNSSEC and why products and services that use the technology could take off in the next few years. Scott Rose of NIST describes the lessons learned from the deployment across the .gov domain at federal government agencies.
Experts see DNSSEC deployments gaining traction
Increased authentication at the DNS layer will block DNS cache poisoning and create new services, experts say. The root zone should be signed and verified by July.
DNSSEC: Has the Time Come? DNSSEC brings PKI to the Domain Name System and prevents dangerous cache poisoning attacks.
VIDEO - VeriSign on DNSSEC support Joe Waldron, a product manager in VeriSign’s Naming (DNS) Group, said engineers are testing and upgrading systems to support security extensions for DNS (DNSSEC).
In a recent US-CERT advisory, clientless SSL VPN vulnerabilities were listed as posing serious threats to Web browser security. In this tip, learn possible actions to take for Web browser protection.
Scott Charney, Microsoft’s vice president for Trustworthy Computing discusses the software giant’s latest legal action to take down the Waledac botnet.
Rich Baich, who heads Cyber Threat Intelligence Group at Deloitte, shares his thoughts on the 2010 RSA Conference and the current threat landscape.