AppSec Blog: Category - php

AppSec Blog:

HTML5: Risky Business or Hidden Security Tool Chest?

I was lucky to be allowed to present about how to use HTML5 to improve security at the recent OWASP APPSEC USA Conference in New York City. OWASP now made a video of the talk available on YouTube for anybody interested.

http://www.youtube.com/watch?v=fzjpUqMwnoI

 

Safer Software through Secure Frameworks

We have to make it easier for developers to build secure apps, especially Web apps. We can't keep forcing everybody who builds an application to understand and plug all of the stupid holes in how the Web works on their own — and to do this perfectly right every time. It's not just wasteful: it's not possible.

What we need is implementation-level security issues taken care of at the language and framework level. So that developers can focus on their real jobs: solving design problems and writing code that works.

Security Frameworks and Libraries

One option is to get developers to use secure libraries that take care of application security functions like authentication, authorization, data validation and encryption. There are some good, and free, tools out there to help you.

If you're a Microsoft .NET developer, there's Microsoft's Web Protection Library which provides functions and a runtime engine

...

Taming the Beast - The Floating Point DoS Vulnerability

Originally posted as Taming the Beast

The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left a number of servers, web frameworks and custom web applications vulnerable to easily exploitable Denial of Service.

Oracle has

...

Top 25 Series - Rank 17 - Integer Overflow Or Wraparound

The author discussion integers, wraparound and how random numbers may very much be non random if you don't know how to read the manual.

What should be part of a PHP Streetfighter API

Do we need a quick and dirty PHP Streetfighter API? Something to help lazy developers beat up lazy exploits? Something that can be written in 24hrs and learned in less then 1hr? If you are interested in using it, let me know.