Wireless Activity Monitoring for PCI DSS Compliance

In an effort to be PCI DSS compliant, I took a trustkeeper.net questionnaire. I failed the question that asks: Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? (SAQ #11.1) My only wireless access…

Do any security experts recommend bcrypt for password storage?

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true. It is not vulnerable to rainbow tables (since creating them is too expensive) and…

Are bookmarklets safe with facebook data?

I usually play Mafia Wars and use bookmarklets like Spockholm, Arum, etc. Can these bookmarklets get my Facebook data when I run them, they usually ask to unframe the Facebook page? I was just wondering if it was possible that they’re stealing my friends’ info from Facebook and selling it on to advertisers? 3 Answers…

Rails – protection against code injection and XSS

I’ve started using Ruby on Rails, and I was wondering if there were any security gotchas to watch out for with Rails, particularly regarding code injection and XSS? I know Rails tries to prevent such attacks by sanitizing inputs but I guess this can’t be infallible. 2 Answers 2 Rails 3 has some pretty good…

Courses on “Secure Software Development” [closed]

This semester, I’m offering a course on “secure software development”. The course is divided into three parts: Secure Software Engineering Reverse Engineering Secure Coding Do you know of any courses (especially, those offered at universities) with similar content, that you advise me to look at? I don’t want my students to feel that only Windows…

Does an established SSL connection mean a line is really secure?

From the view of somebody offering a web application, when somebody connects with SSL (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over this line, or can it be that there is still eavesdropping? This question was IT Security Question of the Week. Read the…

User input data, is filtering enough or should it be parsed?

In a web application there could be two approaches to mitigate XSS attacks: all the input data could be filtered (removing all ‘bad’ data), or the input could be parsed, tokenized and output with only the allowed tags etc Which method should be preferred from security standpoint? With either method, what are the gotchas? 6…

How to perform a security audit for a PHP application?

I have a PHP application that I would like to have audited for security. I’m familiar with most of the general security issues, but want to make sure I didn’t miss anything. What steps should I take to perform a self-audit? What tools are available? What is the best way to find a 3rd-party auditor?…

ASP.NET MVC security check list

I am planning to start a new web site on ASP.NET MVC 2 (3). Does anybody a full (if possible) check list of actions, approaches I should reach to avoid almost problems with security? 1   Related Guidance for HTTPS-only sites – LamonteCristo Oct 1 ’11 at 15:17      @makerofthings it’s useful and good question…

Should I use Suhosin for PHP?

Suhosin can be used to increase the security of your PHP application. I can really see the use of it when you are using shared hosts, with multiple (possibly evil) people running their PHP apps there. When you are only having one web app, your own, is there any advantage in using Suhosin? 5 Answers…