Resources: Whitepapers

Resources:

Most of these computer security white papers have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS Software Security attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Application and Database Security
SANS Survey on Application Security Programs and Practices Jim Bird, Frank Kim Dec 2012
Software Security FAQ Tanya Baccam, Ralf Durkee, Barbara L. Filkins, Kevin Fuller, Leo McCavana, Mark Williams, Lenny Zeltser Feb 13, 2008
Setting Up a Database Security Logging and Monitoring Program Jim Horwath May 10, 2013
Endpoint Security through Application Streaming Adam Walter Mar 25, 2013
Auditing ASP.NET applications for PCI DSS compliance Christian Moldes Feb 7, 2012
Securing Blackboard Learn on Linux David Lyon Dec 1, 2011
Mass SQL Injection for Malware Distribution Larry Wichman Apr 28, 2011
Four Attacks on OAuth - How to Secure Your OAuth Implementation Khash Kiani Mar 24, 2011
Protecting Users: The Importance Of Defending Public Sites Kristen Sullivan Jan 18, 2011
Reducing Organizational Risk Through Virtual Patching Joseph Faust Jan 11, 2011
AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know Jason Lam & Johannes B. Ullrich May 22, 2009
AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Ed Skoudis and Frank Kim Mar 3, 2009
Web Based Attacks Justin Crist Jan 4, 2008
Analyzing Attack Surface Code Coverage Justin Seitz Nov 14, 2007
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler Sep 28, 2007
Automated Scanning of Oracle 10g Databases Rory McCune Aug 7, 2007
Using Oracle Forensics to determine vulnerability to Zero Day exploits Paul Wright Feb 28, 2007
Security in Sun Java System Application Server Platform Edition 8.0 Sid Ansari Jun 29, 2005
Web Browser Insecurity Paul Asadoorian Jun 2, 2005
Application Firewalls: Don't Forget About Layer 7 Russell Eubanks May 17, 2005
Reining in the LAN client David Monaco Feb 25, 2005
Papers taken from SANS Reading Room.
Top
Authentication
Two-Factor Authentication: Can You Choose the Right One? Emilio Valente Oct 15, 2009
OS and Application Fingerprinting Techniques Jon Mark Allen Oct 22, 2008
Simple Formula for Strong Passwords (SFSP) Tutorial Bernie Thomas May 17, 2005
Installing a Secure Network DHCP Registration System Pam Fournier May 5, 2005
Secure implementation of Enterprise single sign-on product in an organization Ravikanth Ponnapalli Jan 18, 2005
Papers taken from SANS Reading Room.
Top
Securing Code
Which Disney© Princess are YOU? Joshua Brower Mar 18, 2010
Secure Authentication on the Internet Roger Meyer Feb 1, 2008
Software Engineering - Security as a Process in the SDLC Nithin Haridas Aug 7, 2007
How to Avoid Information Disclosure when Managing Windows with WMI Alex Timkov Jul 17, 2007
Threat Modeling: A Process To Ensure Application Security Steven Burns Oct 5, 2005
Papers taken from SANS Reading Room.
Top
Applications and Systems Development Security
Paper Author Date
Building Security into the System Development Life Cycle (SDLC): A Case Study James Purcell Aug 9, 2007
Application Security Dan McGinn-Combs Apr 9, 2007
Defining and Understanding Security in the Software Development Life Cycle James Purcell Apr 6, 2007
Outsourcing Daniel Accioly Rosa Mar 30, 2007
Comparing Software Development Life Cycles Jim Hurst Mar 23, 2007
Comparison of Java Applets and ActiveX Controls Jim Hurst Mar 23, 2007
Employee Management Security Controls James E. Purcell Mar 23, 2007
The Capability Maturity Model and Its Applications Jim Hurst Mar 20, 2007
Overview and Tutorial on Artificial Intelligence Systems Jim Hurst Mar 20, 2007
Comparison of Software Development Lifecycle Methodologies James Purcell Feb 12, 2007
Papers taken from the CISSP® certification prep domain.
Top
Developer 522
Latest Blog Posts

WhatWorks in AppSec: Log Forging
May 21, 2013 - 8:15 PM

Security Testing: Less, but More Often can make a Big Difference
January 14, 2013 - 6:42 PM

Ask the Expert - Jim Manico
November 26, 2012 - 5:38 PM

View More »

Latest Tweets @sansappsec

New blog post: "WhatWorks in AppSec: Log Forging" http://t.co/O0UQa12yFC
May 21, 2013 - 8:23 PM

Starts in 15 min: Webcast on "Java Web Security by Example" [...]
February 19, 2013 - 5:45 PM

Starts in 1 hour: Webcast on "Java Web Security by Example" [...]
February 19, 2013 - 5:00 PM

Latest Papers

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Endpoint Security through Application Streaming
By Adam Walter

Auditing ASP.NET applications for PCI DSS compliance
By Christian Moldes

View More »

"Great course. Very valuable information that I can apply to my job immediately. Thank you!"
- Jeffrey Flagg, Command Information

"Gives tangible ideas to put into practice to make your code and infrastructure more secure."
- Keith G. Tullius, II, Escambia County Sheriff's Office

"Great overview of different types of attacks and how to mitigate them."
- Tim Sargent, Kinecta Federal Credit Union