Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.

Haz.

“Wat Behaviour” in Programming Languages – Security Impact /ht @jimfinnis #EPIC #MUSTWATCH #SHORT #WAT

Via Jim I discovered this four minutes of delight:

…and the mid-section about Javascript behaviour is relevant to WAF bypass (previously, previously) – regarding which there are many presentations and blog posts on the web, but I still delight in this sort of thing so here are a couple of extracts:

Screen Shot 2013-02-18 at 09.17.12

From http://www.slideshare.net/nethemba/bypassing-web-application-firewalls

Screen Shot 2013-02-18 at 09.21.14

From http://security.bleurgh.net/javascript-without-letters-or-numbers

Understanding this is possible is essential for web security work because this is how you inject code that walks straight past a web application firewall.

LibTech-Auditing-Cheatsheet # technical things to look for when auditing extremely high value applications

Introduction

This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

It is an advanced list – meaning entry level issues such as application logic bypasses, common web vulnerabilities such as XSS and SQLi, or lower level vulnerabilities such as memory corruption are explicitly not covered. It is assumed that the reader is aware of these and similar vulnerabilities and is well trained in their search, exploitation, and remediation.

A good example of the type of analysis to strive for can be shown in Jacob Appelbaum’s analysis of UltraSurf: https://media.torproject.org/misc/2012-04-16-ultrasurf-analysis.pdf

The Stuff

…continues at iSECPartners/LibTech-Auditing-Cheatsheet · GitHub.

ht @runasand

 

Ross Anderson’s “Security Engineering” – Now FREE to Download and Read

“Security Engineering” now available free online

February 4th, 2013 at 17:50 UTC by Ross Anderson

I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

I’ve long been an advocate of open science and open publishing; all my scientific papers go online and I no longer even referee for publications that sit behind a paywall. But some people think books are different. I don’t agree […]

…continues at Light Blue Touchpaper » Blog Archive » “Security Engineering” now available free online.