background preloader

Category:OWASP Guide Project

Category:OWASP Guide Project
OWASP Developer Guide The OWASP Developer Guide 2014 is a dramatic re-write of one of OWASP's first and most downloaded projects. The focus moves from countermeasures and weaknesses to secure software engineering. Introduction The OWASP Developer Guide is the original OWASP project. The Developer Guide 2014 is a "first principles" book - it's not specific to any one language or framework, as they all borrow ideas and syntax from each other. The major themes in the Developer Guide include: Foundation Architecture Design Build Configure Operate We are re-factoring the original material from the Developer Guide 2.0, released in July 2005, and bring it into the modern world, and focus it tightly on modern web apps that use Ajax and RESTful API, and of course, mobile applications. Intended audience The primary audience for the new version of the Developer Guide is Architects and Developers. Presentation Project Leader Related Projects Ohloh Licensing

Sony, Rootkits and Digital Rights Management Gone Too Far - Mark's Blog Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.

Pragmatic Architecture: Security Ted Neward December 2006 Applies to: .NET Framework Summary: No other topic has so influenced and embroiled our industry as has the subject of security. Not to say that this influence has always been positive. We hear the statistics, read the news, and even swap the war stories at conferences and team meetings. Contents IntroductionSecure Enough Know What You Are Trying to ProtectKnow How You Are Going to Protect ItThe AnswerConclusion I mill with the rest of the group, enjoying the cocktails and free beer. "No way." I can't help myself. His smile grows large and oily. I take his card and think to myself, "What a jerk." "The most important thing is to find out what is the most important thing." –Shinryu Suzuki "Security is a process, not a product." –Bruce Schneier, Secrets and Lies: Digital Security in a Networked World Introduction No other topic has so influenced and embroiled our industry as has the subject of security. Secure Enough Know What You Are Trying to Protect It's just not true.

Top 10 Android Hacking Apps and Tools Of 2015 for hackers and security researchers Here’s the 10 best Android hacking apps and tools of 2015 With the rise of technology and advancements in the mobile field, hacking these days have become very common which was once thought to be done only by those who have an expert knowledge on computers. Even everyday things such as a smart device is hacked nowadays. Hacking apps are used by some people just to explore the world of technology or to override security measures that are installed on their mobile devices. As we are nearing towards the end of 2015, let’s have a look at the top 10 hacking apps of 2015 for android. 1. Hackode is one of the best applications for people who want to hack their android devices. 2. AndroRAT, short for Remote Administration Tool for Android, is a client/server application developed in Java Android for the client side and in Java/Swing for the Server, which is used to control a system without having physical access to the system. 3. SpoofApp is definitely used for fun over functionality. 4. 5. 6. 7.

Reverse Engineering de Código Cifrado En ocasiones cuando te pones a intentar analizar un fichero sospechoso de ser Malware, es posible hacerse una idea de lo que hace simplemente observando el contenido del binario. Otras veces el Malware se encuentra cifrado, por lo que únicamente podremos ver el contenido de la rutina de descifrado. Sin embargo, cualquier software que se cifra y se tiene que descifrar automáticamente sin intervención humana es necesario que almacene hardcodeada la contraseña de descifrado (o se la descargue de Internet, o por algún otro medio), así que para saber que hace este tipo de malware podemos optar por buscar la contraseña de descifrado en la rutina, o bien optar por dejar que el propio malware descifre el código y analizarlo en memoria. Lo primero es dejar que el malware se ejecute libremente, controlando con una traza de red o monitorización del equipo que su ejecución haya llegado al punto que queremos (en este caso mandar una conexión POST /forum.php).

A vision of enterprise platform: Security Infrastructure I have been asked how I would design a security infrastructure for my vision of an enterprise platform, and here is an initial draft of the ideas. As anything in this series, no actual code was written down to build them. What I am doing is going through the steps that I would usually go before I actually sit down and implement something. While most systems goes for the Users & Roles metaphor, I have found that this is rarely a valid approach in real enterprise scenarios. What are the requirements for this kind of an infrastructure? Performant Human understandable Flexible Ability to specify permissions using the following scheme: On a Group Individual users Based on Entity Type Specific Entity Entity group Let us give a few scenarios and then go over how we are going to solve them, shall we? A helpdesk representative can view account data, cannot edit it. The security infrastructure revolves around this interface: So, the next application that I built, I used a different approach.

Security Cheat Sheets for Ethical Hacking and Penetration Testing 4.6K Shares Share Tweet Email Security cheat sheets for Ethical Hacking and Penetration Testing by sniferl4bs. Download and Extract Command: wget Contents: aircrack-ngairportburpcewlcidrcookiesdigfierceftpgolismerohpinghttphttps-ssl-tlshydrajohnmaltegomarkdownmedusametasploitmsfvenommysqlncatnessusniktonmapnpingpermissionsphppivotingpspythonreverse-shellrubyshadowshodansqlmaptcpdumptsharkwebservervulnswireless-encryptionswiresharkwpHardening Download Cheatsheet: Security Cheat Sheets for Ethical Hacking and Penetration Testing

F O R A T » Como proteger tu servidor Linux de ataques por fuerza bruta » Hace ya algunos años que tengo servidores Web online las 24 horas del día en mi casa ofreciendo servicios hacia Internet los cuales necesitan un nombre de usuario y un password para poder acceder a ellos como pueden ser el SSH o el FTP. He recibido todo tipo de ataques de algunos indeseables pero el mas frecuente es el ataque por fuerza bruta que viene a ser el uso de una lista de nombres tipo diccionario. Han habido días que han estado probando una y otra vez con una lista interminable de nombres haber si coincidían con el password de súper usuario root para hacerse con el servidor por el puerto del SSH. Hasta el día de hoy los he ido bloqueando de diferentes modos pero el que os voy a explicar esta vez es el mejor que he encontrado contra este tipo de amenazas. El manual que podéis leer a continuación es aplicable en las distribuciones Linux Debian y Linux Ubuntu ya que han sido las dos en las que he probado esta técnica siendo correcta su instalación y configuración. [ssh] [apache]

9 Best Hacking Apps For Android Phones | 2016 Based upon the industry reviews and our own experience, here is a compilation of the top Android hacking applications. Along with the description of apps, we have provided the relevant website and download links to help you get started instantly. Disclaimer: Please note that fossBytes is publishing this list just for educational purposes. We don’t support use of any tool to indulge in some unethical purposes. 9 Best Hacking Apps For Android Phones – 2016 AndroRAT AndroRAT stands for Android and RAT (Remote Administrative Tools). The features in this useful Android hacking app include collecting information like contacts, call logs, messages, and location. — AndroRAT Get FREE Video Training Course: Online Penetration Testing and Ethical Hacking Hackode Hackode is an Android app which is basically a collection of multiple tools for ethical hackers, IT specialists, and penetration testers. — Hackode zANTI zANTI is a reputed Android hacking suite from Zimperium. — zANTI FaceNiff — FaceNiff Droidsheep

incident report for 04/09/2010 : Apache Infrastructure Team incident report for 04/09/2010 services recently suffered a direct, targeted attack against our infrastructure, specifically the server hosting our issue-tracking software. The Apache Software Foundation uses a donated instance of Atlassian JIRA as an issue tracker for our projects. Password Security If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised. JIRA and Confluence both use a SHA-512 hash, but without a random salt. Bugzilla uses a SHA-256, including a random salt. In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them. What Happened? On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. ive got this error while browsing some projects in jira [obscured] What worked? What didn't work?