Through our consulting experience and ongoing research our consultants stay at the cutting edge of application security. Here are some of the white papers, articles and conference talks that our experts have written or presented.
Search Engine Attacks
Search engines such as Google and Yahoo are crucial to regular use of the Internet. They are also indispensable tools for hackers who can perform information gathering without ever visiting the victim site. In this presentation Security Compass founder Nish Bhalla walks through examples of how search engines could be used to aid hackers.
Web Services Security
Web services are being leveraged by organizations around the world to ease integration of heterogeneous environments and allows for system to system communication over port 80. Their very open and flexible nature also makes them ideal for a new breed of attacks. Nish Bhalla discusses fundamental vulnerabilities with XML functionality, including parsers, validators, and SOAP messages.
Building Compliance into the SDLC
Sarbanes-Oxley, Bill 198, and several other regulations/legislation have had dramatic effects on information technology. In this presentation, Security Compass manager Rohit Sethi builds a case and presents a framework for building compliance activities into the software development lifecycle to improve application compliance and lower audit costs.
Writing Stack Based Overflows on Windows
Buffer overflow attacks exploit programmer faults with memory management. Understanding exactly how to execute a buffer overflow attack remains one of the lease understood topics in application security. In this four part plus one supplement series, Security Compass founder Nish Bhalla explains how to execute a stack-based overflow on the Windows platform:
- Basic Concepts
- Windows Assembly for Writing Exploits
- Stack Overflows
- Creating Shell Code and Exploiting An Application Remotely
- Source Code Used in Articles
Exploiting and Defending Web Applications
This presentation discusses taking advantage of improper authentication, authorization, input validation and lost passwords to gain access to an application and gaining privileged access on a system behind a firewall.
Analyzing Code for Security Defects
This presentation discusses a technique to assign value to risk when performing a threat analysis. Once the threat has been determined it explores how to perform a focused code review on a large code base. It also covers some basic problems that are typically found when performing code review in C/C++.
Exploiting and Defending Networks
This presentation discusses taking advantage of an application and gaining "Enterprise Administrative Access" to an internal Windows 2003 network behind a firewall. It uses traditional techniques which are still valid on windows 2003 environment.
Building an AIX Bastion Host
A Bastion Host is a server that is configured such that the Operating System (OS) security. This type of configuration is used on Firewalls, Web Servers, FTP Servers, Mail server that is put in direct connection with an outside network, such as the Internet. The purpose of this document is to create a Bastion Host configuration for AIX version.
Auditing Source Code
The objective of the talk is to understand the common problems when developing code written in C/C++. It can be used as a starting point to identify security problems when writing applications. The overall focus will be on the prevention of security vulnerabilities and the implementation of technical countermeasures.
The Importance of Application Classification in Secure Application Development
With the hype surrounding secure applications, organizations may attempt broad adoption of secure development principles. Security as an architectural driver is often at the expense of performance (e.g. component redundancy), usability (e.g. complexity of using the application) and cost (e.g. using SSL to implement HTTP requires PKI or third party certificates, slows traffic, etc.). Most development shops are having a tough time balancing all of these factors. Fortunately, there is a way to provide guidance in striking this balance.
Aspect-Oriented Programming and Security
Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework, people are beginning to understand the substantial benefits that AOP brings to development. While several others have tied AOP to security, I aspire to raise awareness amongst my information security colleagues that AOP can have a substantially beneficial impact on application security. I'm convinced that, if more of us understand it, we'll be in a better place to work with developers to create secure applications and perhaps, more importantly add security into existing insecure applications.
Building Secure Applications: Consistent Logging
This article examines the dismal state of application-layer logging as observed from the authors' years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks. An idea of a practical implementation is discussed, along with an examination of some of the associated risks and costs.