OpenID Federated Login Service for Google Apps - Google Apps Platform. Google Apps offers an OpenID API that allows end users to securely sign in to third party web sites using their Google Apps user account.
The OpenID standard frees users from having to set up separate login accounts for different web sites--and conversely, frees web site developers from the task of managing login information and security measures. OpenID achieves this goal by providing a framework in which users can establish an account with an OpenID provider, such as a Google Apps hosted domain, and use that account to sign into any web site that accepts OpenIDs.
Google Apps API supports the OpenID 2.0 Directed Identity protocol, allowing any hosted domain to provide authentication support as an OpenID provider. On request from a third-party site, Google authenticates users who are signing in with an existing Google Apps account, and returns to the third-party site an identifier that the site can use to recognize the user. SSO for Google Apps Marketplace applications. Oracle Java 7 Security Manager Bypass Vulnerability. Update Java Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 (7u11) addresses this (CVE-2013-0422) and a different but equally severe vulnerability (CVE-2012-3174).
Java 7 Update 11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. Disable Java in web browsers This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. If you are unable to update to Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.Vulnerability Note VU#625617.
Java 0day. The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java.
The curator of Blackhole, a miscreant who uses the nickname “Paunch,” announced yesterday on several Underweb forums that the Java zero-day was a “New Year’s Gift,” to customers who use his exploit kit. Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack. According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest — Java 7 Update 10. This information could not be immediately verified, but if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don’t need it. Chapter 1: Security Fundamentals for Web Services.
Understand the key security requirements.
Understand the difference between threats, attacks, vulnerabilities, and countermeasures. Understand the key distinctions for Service-Oriented Architecture (SOA). Understand the Web Services Security Frame. Understand the key principles and patterns for building secure services. Building secure services includes knowing the threats you face, making effective trade-offs, and integrating security throughout your software development life cycle. Security is fundamentally about protecting assets. It is important to recognize that security is a path, not a destination.
Security relies on the following elements: Authentication. When thinking about security, it is helpful to think in terms of assets, threats, vulnerabilities, and attacks. Asset. To summarize, a threat is a potential event that can adversely affect an asset, whereas a successful attack exploits vulnerabilities in your system. Service exposed over the Internet. Interoperable. Enterprise SOA.
CWE - VIEW SLICE: CWE-2000: Comprehensive CWE Dictionary (2.3) Five free pen-testing tools. Computerworld - Security assessment and deep testing don't require a big budget.
Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with. For scanning in the first steps of a security assessment or pen test, Nmap and Nessus share the crown. Nmap is a simple, powerful and very well-reviewed scanner that one finds in the toolbox of any serious security consultant. Nmap and its Zenmap graphical interface are free and available at nmap.org for virtually any platform from Vista and OS X to AmigaOS, and will happily run on low-power systems.
Nessus performs scans and up-to-date vulnerability testing in one interface, through a purchased "feed" of vulnerability modules for the freely downloadable application. The Metasploit Framework provides more operating system and application exploit information than most analysts would know what to do with.