security

TwitterFacebook
Get flash to fully experience Pearltrees
With OAuth reaching its final draft ( OAuth Core 1.0 Draft 4 ) last night, it is time for those of you new to the protocol to dive in and learn what it is all about. I have written in a previous post about the history behind OAuth, its use cases, and when it is (or isn’t) applicable. People seems to like my metaphor of a valet key, which John Panzer rephrased “ OAuth: Your valet key for the Web ”. Beginner’s Guide to OAuth – Part I Introduction This guide is intended for a technical audience with focus on implementation. http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/

Beginner’s Guide to OAuth – Part I: Overview

OAuth Core 1.0 (also known as RFC 5849 ), the community-based specification published on December 4th, 2007 , revised June 24th, 2009 , and finalized in April 2010 is one of the fastest growing Open Web specifications. It provides a much needed solution for security web APIs without requiring users to share their usernames and passwords. This guide attempts to explain OAuth by taking a look at its history, architecture, and technical details. It is written primarily for developers looking to implement services offering secure APIs or developers implementing clients using OAuth-protected services. The OAuth specification has gone through a few complete rewrites. http://hueniverse.com/oauth/guide/

The OAuth 1.0 Guide

For many of us, logging into websites is a part of our daily routine. In fact, we probably do it so often that we’ve stopped having to think about how it’s done… that is, until something goes wrong: we forget our password, our user name, the email address we signed up with, how we signed up, or even if we ever signed up at all. These experiences are not just frustrating for us, but are bad for businesses as well. How bad? User Interface Engineering’s analysis of a major online retailer found that 45% of all customers had multiple registrations in the system, 160,000 people requested their password every day, and 75% of these people never completed the purchase they started once they requested their password. To top it off, visitors who are not logged in do not see a personalized view of a website’s content and recommendations, which reduces conversion rates and engagement.

New Approaches To Designing Log-In Forms - Smashing Magazine

http://uxdesign.smashingmagazine.com/2011/08/22/new-approaches-to-designing-login-forms/
http://developer.apple.com/internet/serverside/modssl.html Safari 6 Learn about the new features in the world's most innovative web browser. Development Resources WWDC 2012 Videos

Using mod_ssl on Mac OS X

http://www.zytrax.com/tech/survival/ssl.html

Survival Guide - SSL/TLS and SSL (X.509) Certificates (Self-Signed)

This is a survival guide to the eye-glazing topic of SSL/TLS and X.509 (SSL) certificates - including self-signed certificates. These are elements in what is loosely called a Public Key Infrastructure (PKI). What are colloquially known as SSL certificates should be referred to as X.509 certificates. The term SSL certificate became common due to the adoption of the X.509 (one of the ITU X.500 Directory standards ) certificate format by Netscape when it designed the original versions of the SSL protocol, eons ago, when the world was still young and the Internet was a friendly place.
ssh

XSS

Trying to install the security compliance manager. However, if I select the Download and Install option the install fails because it doesn't seem to be smart enough to handle a proxy connection. If I select the install option to tell the installer I've already downloaded SQL Server Express, the installer says the installer is invalid. Finally, haven't been able to find a way to tell the installer that SQL Server express is already installed. All I need is the Windows 7 Security Baseline. http://social.msdn.microsoft.com/Forums/en/catnet/thread/7ee57d48-68c1-408f-b76b-4174b80ace04

Can't Install Security Compliance Manager

http://www.f-secure.com/weblog/archives/00001502.html

JavaScript Injection Attack

As little as a year ago, the bad guys were dependent on enticing people to follow links that pointed to malicious websites (via e-mail, search links, or IM worms). Today, they are using JavaScript injection attacks to simply "steal" a website's visitors, and it has become something of a Swiss Army Knife for underground hackers to spread their malware worldwide. We've seen numerous high traffic, legitimate websites attacked using this technique.

Software security testing: Finding your inner evildoer

http://searchsoftwarequality.techtarget.com/news/1265911/Software-security-testing-Finding-your-inner-evildoer In my experience as both a software security engineer and trainer, it has become clear to me that some students catch on to the concepts faster than others. Often, those who tend to excel don't immediately show signs of brilliance. Frequently, a seasoned tester who can hunt down functional bugs in the weirdest of places can't make the transition to security testing very easily.

Javascript Injection | TestingSecurity.com

http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/Javascript-Injection JavaScript Injection Overview JavaScript is a widely used technology within websites and web based applications. JavaScript can be used for all sorts of useful things and functions. But along with this comes some additional security issues that need to be thought of and tested for.