background preloader

Category:OWASP Guide Project

Category:OWASP Guide Project
OWASP Developer Guide The OWASP Developer Guide 2014 is a dramatic re-write of one of OWASP's first and most downloaded projects. The focus moves from countermeasures and weaknesses to secure software engineering. Introduction The OWASP Developer Guide is the original OWASP project. The Developer Guide 2014 is a "first principles" book - it's not specific to any one language or framework, as they all borrow ideas and syntax from each other. The major themes in the Developer Guide include: Foundation Architecture Design Build Configure Operate We are re-factoring the original material from the Developer Guide 2.0, released in July 2005, and bring it into the modern world, and focus it tightly on modern web apps that use Ajax and RESTful API, and of course, mobile applications. Intended audience The primary audience for the new version of the Developer Guide is Architects and Developers. Presentation Project Leader Related Projects Ohloh Licensing

Sony, Rootkits and Digital Rights Management Gone Too Far - Mark's Blog Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug.

My Blog 随着常数 m 和 n 的变化,参数方程 x = sin(m · t), y = sin(n · t) 将会画出一系列漂亮的曲线。法国物理学家 Jules Antoine Lissajous 曾在 1857 年研究过这类曲线,因此人们把它叫做 Lissajous 曲线。我在 reddit 上看到了一个 Lissajous 曲线的动画演示,觉得看起来确实非常爽;但那个动画里没有解释曲线的生成方法,很多细节也有让人不太满意的地方,于是决定自己制作一个。这个动画展示的是 m = 13, n = 18 时的 Lissajous 曲线。 2016 年 7 月 30 日至 8 月 7 日,第 39 届欧洲杂耍大会(European Juggling Convention)在荷兰的阿尔梅勒举行, 8 月 3 日凌晨的搏击之夜(Fight Night)自然再度成为了众人关注的焦点——它是杂耍斗(combat juggling)这项运动最大的赛事。 杂耍斗是一种两人对战类的体育运动。 典型的一局比赛大致就像下面这样。 Read more… 下面这个趣题出自 Using your Head is Permitted 谜题站 2016 年 8 月的题目,稍有改动。 屋子里有若干个人,任意两个人都有恰好 1 个共同的朋友。 除了上图展示的情况之外,我们还能构造出很多别的同样满足要求的情况。 Read more… 无穷多个相同大小的正方形格子排成一排,向左右两边无限地延伸。 选择某个格子,保证该格子内至少含有 1 个原子。 初始时,某个格子里有 1 个原子。 Read more… 2016 年 IMO 的第 6 题(也就是第二天比赛的第 3 题)非常有趣,这恐怕算得上是近十年来 IMO 的所有题目中最有趣的题目之一。 证明:当 n 为奇数时, Geoff 一定有办法实现他的要求。

Pragmatic Architecture: Security Ted Neward December 2006 Applies to: .NET Framework Summary: No other topic has so influenced and embroiled our industry as has the subject of security. Not to say that this influence has always been positive. We hear the statistics, read the news, and even swap the war stories at conferences and team meetings. Contents IntroductionSecure Enough Know What You Are Trying to ProtectKnow How You Are Going to Protect ItThe AnswerConclusion I mill with the rest of the group, enjoying the cocktails and free beer. "No way." I can't help myself. His smile grows large and oily. I take his card and think to myself, "What a jerk." "The most important thing is to find out what is the most important thing." –Shinryu Suzuki "Security is a process, not a product." –Bruce Schneier, Secrets and Lies: Digital Security in a Networked World Introduction No other topic has so influenced and embroiled our industry as has the subject of security. Secure Enough Know What You Are Trying to Protect It's just not true.

Top 10 Android Hacking Apps and Tools Of 2015 for hackers and security researchers Here’s the 10 best Android hacking apps and tools of 2015 With the rise of technology and advancements in the mobile field, hacking these days have become very common which was once thought to be done only by those who have an expert knowledge on computers. Even everyday things such as a smart device is hacked nowadays. Hacking apps are used by some people just to explore the world of technology or to override security measures that are installed on their mobile devices. As we are nearing towards the end of 2015, let’s have a look at the top 10 hacking apps of 2015 for android. 1. Hackode is one of the best applications for people who want to hack their android devices. 2. AndroRAT, short for Remote Administration Tool for Android, is a client/server application developed in Java Android for the client side and in Java/Swing for the Server, which is used to control a system without having physical access to the system. 3. SpoofApp is definitely used for fun over functionality. 4. 5. 6. 7.

Reverse Engineering de Código Cifrado En ocasiones cuando te pones a intentar analizar un fichero sospechoso de ser Malware, es posible hacerse una idea de lo que hace simplemente observando el contenido del binario. Otras veces el Malware se encuentra cifrado, por lo que únicamente podremos ver el contenido de la rutina de descifrado. Sin embargo, cualquier software que se cifra y se tiene que descifrar automáticamente sin intervención humana es necesario que almacene hardcodeada la contraseña de descifrado (o se la descargue de Internet, o por algún otro medio), así que para saber que hace este tipo de malware podemos optar por buscar la contraseña de descifrado en la rutina, o bien optar por dejar que el propio malware descifre el código y analizarlo en memoria. Lo primero es dejar que el malware se ejecute libremente, controlando con una traza de red o monitorización del equipo que su ejecución haya llegado al punto que queremos (en este caso mandar una conexión POST /forum.php).

High Scalability - High Scalability A vision of enterprise platform: Security Infrastructure I have been asked how I would design a security infrastructure for my vision of an enterprise platform, and here is an initial draft of the ideas. As anything in this series, no actual code was written down to build them. What I am doing is going through the steps that I would usually go before I actually sit down and implement something. While most systems goes for the Users & Roles metaphor, I have found that this is rarely a valid approach in real enterprise scenarios. What are the requirements for this kind of an infrastructure? Performant Human understandable Flexible Ability to specify permissions using the following scheme: On a Group Individual users Based on Entity Type Specific Entity Entity group Let us give a few scenarios and then go over how we are going to solve them, shall we? A helpdesk representative can view account data, cannot edit it. The security infrastructure revolves around this interface: So, the next application that I built, I used a different approach.

Security Cheat Sheets for Ethical Hacking and Penetration Testing 4.6K Shares Share Tweet Email Security cheat sheets for Ethical Hacking and Penetration Testing by sniferl4bs. Download and Extract Command: wget Contents: aircrack-ngairportburpcewlcidrcookiesdigfierceftpgolismerohpinghttphttps-ssl-tlshydrajohnmaltegomarkdownmedusametasploitmsfvenommysqlncatnessusniktonmapnpingpermissionsphppivotingpspythonreverse-shellrubyshadowshodansqlmaptcpdumptsharkwebservervulnswireless-encryptionswiresharkwpHardening Download Cheatsheet: Security Cheat Sheets for Ethical Hacking and Penetration Testing

F O R A T » Como proteger tu servidor Linux de ataques por fuerza bruta » Hace ya algunos años que tengo servidores Web online las 24 horas del día en mi casa ofreciendo servicios hacia Internet los cuales necesitan un nombre de usuario y un password para poder acceder a ellos como pueden ser el SSH o el FTP. He recibido todo tipo de ataques de algunos indeseables pero el mas frecuente es el ataque por fuerza bruta que viene a ser el uso de una lista de nombres tipo diccionario. Han habido días que han estado probando una y otra vez con una lista interminable de nombres haber si coincidían con el password de súper usuario root para hacerse con el servidor por el puerto del SSH. Hasta el día de hoy los he ido bloqueando de diferentes modos pero el que os voy a explicar esta vez es el mejor que he encontrado contra este tipo de amenazas. El manual que podéis leer a continuación es aplicable en las distribuciones Linux Debian y Linux Ubuntu ya que han sido las dos en las que he probado esta técnica siendo correcta su instalación y configuración. [ssh] [apache]