http://www.gdssecurity.com/l/b Gotham Digital Science Security Blog Wed, 08 Apr 2009 14:46:46 +0000 http://backend.userland.com/rss092 en Social engineers use old tricks and new to bypass firewalls and other conventional IT security defences by taking advantage of human weakness or kindness to attack secure buildings, machine rooms, or trading floors from inside. This gives them access to information and data that they simply couldn't get by hacking ... http://www.gdssecurity.com/l/b/2009/04/08/creating-a-patch-for-human-stupidity/ As a developer or security tester, it is important to know how built-in security mechanisms like EventValidation work. Starting with version 2.0 of the .NET Framework, Microsoft introduced the concept of “EventValidation” for validating PostBack data. The principal behind EventValidation is fairly simple -- if the framework ... http://www.gdssecurity.com/l/b/2009/03/19/when-aspnet-eventvalidation-doesnt-work/ My slides from the Source Boston conference last week have been posted for public consumption. The talk discussed some of the cool new built-in features of IIS7, like the Integrated Request Pipeline and Request Filtering. Additionally, it covered the new modular architecture of IIS7 and discussed custom modules (like ... http://www.gdssecurity.com/l/b/2009/03/17/source-boston-iis7-slides-posted/ As an application security consultant, I always like to have a vulnerable sample application handy for demonstrating web application attacks to clients. The irony is that other than contrived vulnerable sample applications, like FoundStone's Hacme Applications or OWASP WebGoat, good vulnerable demo applications are actually hard to find. ... http://www.gdssecurity.com/l/b/2009/02/05/net-stocktrader-from-msdn-the-new-webgoat/ Earlier this week we presented at the OWASP NY/NJ chapter meeting on "Tamper Proofing Web Applications at Run-Time". The talk presented some strategies and free solutions for protecting web applications from input driven attacks. ... http://www.gdssecurity.com/l/b/2008/12/19/tamper-proofing-web-applications-at-run-time/ The slide deck from the "Tamper Proofing Web Applications at Runtime" talk I gave last night at the OWASP Boston meeting are now available for download. We also released version 1.0.1 of SPF earlier this week and have a public SPF demo site running .NET PetShop v4 from MSDN. ... http://www.gdssecurity.com/l/b/2008/12/04/owasp-boston-slides-and-spf-public-demo-site/ We just wrapped up a webinar titled "Key Principles in Writing Secure Code" for one of our training partners, Intense School. The target audience was primarily folks involved with application development looking for an introduction to Application Security. Here are some of the key points covered in the presentation: The OWASP ... http://www.gdssecurity.com/l/b/2008/10/29/key-principles-in-writing-secure-code-webinar/ When SPF was first released last month, I knew it was a great protection mechanism to thwart attacks against applications running on IIS. What I didn't realize was that the most urgent gap that it fills is that ... http://www.gdssecurity.com/l/b/2008/09/09/using-spf-to-protect-against-sql-injection-worms/ We have publicly released the Beta version of IIS Secure Parameter Filter (SPF) on our tools page. SPF is an application security module specifically designed to thwart parameter-based attacks against applications running on Microsoft IIS web servers. SPF requires minimal initial configuration and does not require making any modification ... http://www.gdssecurity.com/l/b/2008/08/22/iis-secure-parameter-filter-spf-released/ For those of you who didn't catch my turbo talk at Black Hat in Las Vegas, and especially those of you who looked at the slides and demo in my previous blog post and had no idea what the talk was about, I thought I'd put together a short summary ... http://www.gdssecurity.com/l/b/2008/08/21/overview-of-sql-injection-worms-for-fun-and-profit/