|
|
Best Practices: Use of Web Application Firewalls |
Best Practices: Use of Web Application Firewalls
Back in May, at AppSec OWASP in Ghent, I listened to Alexander Meisel (who was presenting on behalf of OWASP Germany) talk about best practices for web application firewall deployment. The interesting talk was backed by a larger document, which... |
|
ModProfiler: Leading ModSecurity Towards Positive Security |
ModProfiler: Leading ModSecurity Towards Positive Security
Several years ago, a few more than Id like to admit, I realised our chances for writing completely secure web applications are extremely slim; virtually non-existent. We can certainly try—and many are making heroic efforts—but nothing good can come out... |
|
ModProfiler Presentation at OWASP AppSec Israel 2008 |
ModProfiler Presentation at OWASP AppSec Israel 2008
I will be giving the updated version of our ModProfiler presentation this Sunday (14th) at the OWASP Israel 2008 conference. ModProfiler has seen a release or two since Black Hat (where it was announced) so I can now speak with... |
|
ModSecurity at ApacheCon US 2008 |
ModSecurity at ApacheCon US 2008
In a few weeks time I will present my favourite talk, Web Intrusion Detection with ModSecurity, at the ApacheCon US 2008 in New Orleans: Intrusion detection is a well-known network security technique--it introduces monitoring and correlation devices to networks, enabling... |
|
Securing WebGoat using ModSecurity |
Securing WebGoat using ModSecurity
This year, the OWASPs Summer of Code event contains one project thats of particular interest to me (and possibly to you, consider that youre following this blog): Securing WebGoat Using ModSecurity. If youve even seen WebGoat (a learning sandbox that... |
|
ModSecuritys Source Code Repository Is Now Open |
ModSecuritys Source Code Repository Is Now Open
I spent the last week importing ModSecuritys source code repository into subversion at Source Forge. I am proud to announce that a read-only version of ModSecuritys subversion repository is now publicly available. In addition to this, Atlassian has graciously given... |
Leaving ModSecurity
Deciding to leave a job is rarely easy, but leaving your job and the project youve nurtured for six years is very difficult. In a few weeks time I will no longer be working for Breach Security and, as a... |
|
Helping Protect Cookies with HTTPOnly Flag |
Helping Protect Cookies with HTTPOnly Flag
If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, please refer to the following resources - Mitigating Cross-site Scripting With HTTP-only Cookies - http://msdn.microsoft.com/en-us/library/ms533046.aspx OWASP HTTPOnly Overview - http://www.owasp.org/index.php/HTTPOnly The... |
|
Fixing Both Missing HTTPOnly and Secure Cookie Flags |
Fixing Both Missing HTTPOnly and Secure Cookie Flags
In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish the same thing but for... |
|
Why Did Our Web Application Crash? Leveraging WAF Logging Data |
Why Did Our Web Application Crash? Leveraging WAF Logging Data
More Than A Blocking Device Unfortunately, most people have pigeon-holed WAFs as only Attack Blocking Devices and that is but one use-case option. This Blog post will highlight another interesting use-case/benefit of a web application firewall - capturing full HTTP... |
|
|
|
|
|
|
Página 1 de 3 |
