Showing posts with label applications. Show all posts
Showing posts with label applications. Show all posts

Integrating Vulnerability Management Into The Application Development Process

Software developers are only human, which means that complex application code will include errors and bugs. This means that scanning and combing new application code for security flaws are part of virtually every software development process. But not all developers approach vulnerability discovery the same way -- and very few of them catch all of their code vulnerabilities on the first try.

http://www.darkreading.com/applications/integrating-vulnerability-management-int/240158652
The application development process
The effects of coding errors can be crippling. In 2003, a bug in General Electric's monitoring software cut off power to an estimated 50 million people. More recently, Knight Capital's computers erroneously executed a series of automatic stock orders that brought the company to the edge of bankruptcy, while HTC America has had to settle a civil suit with the Federal Trade Commission after a modification to the software on its Android- and Windows-based phones introduced numerous security vulnerabilities.

The pressure to get new products ready for market imposes accelerated timetables on developers, resulting in even more mistakes. When first released, Apple's Maps app, for example, was plagued with errors, damaged Apple's reputation and cost the executive held responsible his job. (It also led to a very public apology from Apple CEO Tim Cook.)

Tags: , , , ,

Content Security Policy halts XSS in its tracks

Cross-site scripting (XSS) is one of the biggest problems faced by webmasters. Even banks and payment service providers like PayPal appear unable to prevent XSS from being used to inject external code. The new Content Security Policy standard should finally relieve the problem.

http://www.h-online.com/security/features/Content-Security-Policy-halts-XSS-in-its-tracks-1892346.html
Content Security Policy halts XSS in its tracks
Modern web applications accept all sorts of user input. An obvious example is a search function for searching through goods available in an online store. Servers frequently return the input value as part of the search results: "Your search for search termreturned 7 hits". If a web developer has failed to exercise sufficient care, cyber-criminals can exploit this to inject code into a web page, with a search term such as<script>alert("Pwned!")</script> being interpreted by the browser as JavaScript and executed in the context of the web site on which it is displayed. It therefore follows that unforeseen user input needs to be filtered.

Tags: , , ,
Subscribe to: Posts (Atom)