Resources: Whitepapers


Most of these computer security white papers have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS Software Security attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

Application and Database Security
How to Win Friends and Remediate Vulnerabilities Chad Butler Mar 27, 2014
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment Jeremy Druin Dec 4, 2013
Protecting applications against Clickjacking with F5 LTM Michael Nepomnyashy Dec 4, 2013
A Hands-on XML External Entity Vulnerability Training Module Carrie Roberts Dec 4, 2013
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Setting Up a Database Security Logging and Monitoring Program Jim Horwath May 10, 2013
Endpoint Security through Application Streaming Adam Walter Mar 25, 2013
Auditing ASP.NET applications for PCI DSS compliance Christian Moldes Feb 7, 2012
Securing Blackboard Learn on Linux David Lyon Dec 1, 2011
Mass SQL Injection for Malware Distribution Larry Wichman Apr 28, 2011
Four Attacks on OAuth - How to Secure Your OAuth Implementation Khash Kiani Mar 24, 2011
Protecting Users: The Importance Of Defending Public Sites Kristen Sullivan Jan 18, 2011
Reducing Organizational Risk Through Virtual Patching Joseph Faust Jan 11, 2011
AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know Jason Lam & Johannes B. Ullrich May 22, 2009
AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Ed Skoudis and Frank Kim Mar 3, 2009
Web Based Attacks Justin Crist Jan 4, 2008
Analyzing Attack Surface Code Coverage Justin Seitz Nov 14, 2007
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler Sep 28, 2007
Automated Scanning of Oracle 10g Databases Rory McCune Aug 7, 2007
Using Oracle Forensics to determine vulnerability to Zero Day exploits Paul Wright Feb 28, 2007
Security in Sun Java System Application Server Platform Edition 8.0 Sid Ansari Jun 29, 2005
Web Browser Insecurity Paul Asadoorian Jun 2, 2005
Application Firewalls: Don't Forget About Layer 7 Russell Eubanks May 17, 2005
Reining in the LAN client David Monaco Feb 25, 2005
Papers taken from SANS Reading Room.
An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools Tom Webb Mar 27, 2014
Implementing IEEE 802.1x for Wired Networks Johan Loos Mar 14, 2014
The Dangers of Weak Hashes Kelly Brown Dec 4, 2013
Daisy Chain Authentication Courtney Imbert Sep 18, 2013
SSL/TLS: What's Under the Hood Sally Vandeven Aug 22, 2013
Two-Factor Authentication: Can You Choose the Right One? Emilio Valente Oct 15, 2009
OS and Application Fingerprinting Techniques Jon Mark Allen Oct 22, 2008
Simple Formula for Strong Passwords (SFSP) Tutorial Bernie Thomas May 17, 2005
Installing a Secure Network DHCP Registration System Pam Fournier May 5, 2005
Secure implementation of Enterprise single sign-on product in an organization Ravikanth Ponnapalli Jan 18, 2005
Papers taken from SANS Reading Room.
Securing Code
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Which Disney© Princess are YOU? Joshua Brower Mar 18, 2010
Secure Authentication on the Internet Roger Meyer Feb 1, 2008
Software Engineering - Security as a Process in the SDLC Nithin Haridas Aug 7, 2007
How to Avoid Information Disclosure when Managing Windows with WMI Alex Timkov Jul 17, 2007
Threat Modeling: A Process To Ensure Application Security Steven Burns Oct 5, 2005
Papers taken from SANS Reading Room.
Applications and Systems Development Security
Paper Author Date
Building Security into the System Development Life Cycle (SDLC): A Case Study James Purcell Aug 9, 2007
Application Security Dan McGinn-Combs Apr 9, 2007
Defining and Understanding Security in the Software Development Life Cycle James Purcell Apr 6, 2007
Outsourcing Daniel Accioly Rosa Mar 30, 2007
Comparing Software Development Life Cycles Jim Hurst Mar 23, 2007
Comparison of Java Applets and ActiveX Controls Jim Hurst Mar 23, 2007
Employee Management Security Controls James E. Purcell Mar 23, 2007
The Capability Maturity Model and Its Applications Jim Hurst Mar 20, 2007
Overview and Tutorial on Artificial Intelligence Systems Jim Hurst Mar 20, 2007
Comparison of Software Development Lifecycle Methodologies James Purcell Feb 12, 2007
Papers taken from the CISSP® certification prep domain.