This is AppSecInsider's Typepad Profile.
Join Typepad and start following AppSecInsider's activity
AppSecInsider
IBM Application Security Insider
Recent Activity
Building Rich Internet Applications Models: Example of a Better Strategy
Crawling “classical” web applications is a problem that has been addressed more than a decode ago. Efficient crawling of web applications that use advanced technologies such as AJAX (called Rich Internet Applications, RIAs) is still an open problem. Crawling is... Continue reading
Posted Jun 19, 2013 at IBM Application Security Insider
Comment
0
AppScan Enterprise v8.7 performance improvements
In March 2013, we released version 8.7 of AppScan. One of the focus areas for that release was to improve the scalability and performance of the enterprise components of the solution, specifically the AppScan Enterprise Server and AppScan Enterprise Dynamic... Continue reading
Posted May 29, 2013 at IBM Application Security Insider
Comment
0
Practical mobile app security scanning tips
In this hands-on article, learn how to use IBM Security AppScan Standard with mobile user agents, as well as emulators and actual devices for Android and iOS. Continue reading
Posted Apr 17, 2013 at IBM Application Security Insider
Comment
0
Research Awards for Project on Crawling Mobile and Rich Internet Applications
2012 IBM CAS Project of the Year: Efficient and Scalable Mapping of Mobile and Complex Rich Internet Applications for Automated Security Testing The ability to “crawl” Web sites and Web applications is at the core of the Internet. Crawling is... Continue reading
Posted Jan 3, 2013 at IBM Application Security Insider
Comment
0
Find Security Vulnerabilities in Android Apps
Mobile security can be tested in a variety of ways. You can apply black box testing to test the server side logic that your mobile app is working with, as we've recently blogged about. You can also apply static analysis... Continue reading
Posted Dec 10, 2012 at IBM Application Security Insider
Comment
1
Understanding AppScan Test Policies
IBM Security Appscan provides automated security scanning of web applications. Did you know that you can apply test policies within IBM Security AppScan to cover particular aspects of the scan? Using the right policy produces optimal scanning results and reduces... Continue reading
Posted Dec 3, 2012 at IBM Application Security Insider
Comment
0
Use Traffic Viewer to Unlock Ultimate AppScan Power-User Secrets
If you have ever worked with an AppScan expert they probably got you to install the AppScan Traffic Viewer. This tool is the Swiss army knife of the AppScan Power user containing a multitude of support features and giving you... Continue reading
Posted Oct 15, 2012 at IBM Application Security Insider
Comment
0
Out with the old, in with the new - IBM Security AppScan Standard 8.6 released!
If you’re the kind of person that likes taking a look under the hood, then get ready to dive into the new IBM Security AppScan Standard 8.6 and take a peek at what we did for this release. By the... Continue reading
Posted Aug 27, 2012 at IBM Application Security Insider
Comment
0
The New Frontier - Securing Mobile Apps (WEBCAST)
Let's talk about mobile security, shall we? We can see that smartphones and tablets are everywhere, taking their place as dominant collaboration devices in enterprises. Many organizations are struggling with understanding the implications of developing and deploying apps to new... Continue reading
Posted Aug 13, 2012 at IBM Application Security Insider
Comment
1
The Most Comprehensive Web Application Security Scanner Comparison Available Marks AppScan Standard as the Leader (Again)
Once again, AppScan has proven to be the leader of web application security testing tools, in a recent benchmark of over 60 commercial and open-source tools published by Shay Chen. Attack vector comparison (taken from the WAVSEP benchmark review) The... Continue reading
Posted Aug 6, 2012 at IBM Application Security Insider
Comment
0
F4F Technology Helps You Analyze Applications For Security
By Babita Sharma, Michael Hua Xiao Most modern web applications are built using web application frameworks, such as Enterprise JavaBeans (EJB), Apache Struts and JavaServer Faces (JSF). These frameworks simplify web application development by providing higher-level abstractions for common tasks.... Continue reading
Posted Aug 2, 2012 at IBM Application Security Insider
Comment
0
Microsoft Windows Shell Command Injection - MS12-048 (CVE-2012-0175)
CVE-2012-0175 Background Windows File Association allows an application to define a handler that should be called for each operation on a specific file type. For example, WinRAR registers the file type .RAR in the following manner: The Open action defined... Continue reading
Posted Jul 16, 2012 at IBM Application Security Insider
Comment
6
Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability (CVE-2011-1252)
HTML Sanitizing Information Disclosure - CVE-2011-1252 Introduction The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize HTML fragments from dynamic and potentially malicious content. If an attacker is able to... Continue reading
Posted Jul 8, 2012 at IBM Application Security Insider
Comment
0
Automated Blackbox Crawling: The Next Generation
Automated crawling of web applications is the first step in automating web application security analysis. Without a proper crawl, automated testing of vulnerabilities will reveal incomplete results (AKA "False Negatives"). Modern web technologies, like AJAX, result in more responsive and... Continue reading
Posted Jun 26, 2012 at IBM Application Security Insider
Comment
0
AppSecInsider has shared their blog IBM Application Security Insider
May 21, 2012
Anshum,
Can you elaborate on the structure of the RESTful requests?
Testing RESTful Services with AppScan Standard
By Ory Segal As much as I love SOAP web services (not!), it seems like RESTful web services really caught on and became a de-facto standard these days – you see them everywhere, in the cloud, in AJAX or Web 2.0 applications, mobile applications and so forth. Unlike SOAP services, RESTful service...
@Dotnetchris - have you bothered to look in the "Acknowledgments" section of the Microsoft security bulletin? It was *our team* that disclosed this to Microsoft. We then waited for Microsoft to patch this issue, and only then published the full details of the issue. That's called responsible disclosure. There's no FUD here, just technical details.
Microsoft Anti-XSS Library Bypass (MS12-007)
Introduction: Microsoft Anti-XSS Library is used to protect applications from Cross-Site Scripting attacks, by providing methods for input sanitization. Vulnerability: Microsoft Anti-XSS Library 3.0 and 4.0 are vulnerable to an attack in which an attacker is able to create a specially formed CSS...
JSON-based XSS exploitation
JSON rendering in Internet Explorer In the world of Web2.0 and mash web applications, security researchers come across more and more XSS vulnerabilities that are reflected in non HTML responses. For example, JSON responses are becoming more and more common,... Continue reading
Posted Oct 24, 2011 at IBM Application Security Insider
Comment
2
The Ultimate Web App Security Scanner Comparison Published - AppScan Standard Leads the Pack
>>>> See the most recent results of the 2012 WAVSEP benchmark! <<<< Shay Chen, an Information Security consultant and blogger, recently published the latest results of his ultra-thorough web application security scanner comparison. The survey, covered 60(!) different open source... Continue reading
Posted Aug 3, 2011 at IBM Application Security Insider
Comment
0
Close Encounters of the Third Kind
As promised in my last blog post, we recently published a new whitepaper on the subject of client-side JavaScript vulnerabilities. Below you can find a short excerpt from the whitepaper: In the past 10 years, many whitepapers, research articles, and... Continue reading
Posted Jan 6, 2011 at IBM Application Security Insider
Comment
0
Scanning for Client-Side JavaScript Vulnerabilities
In a few weeks, our team is going to publish a new research whitepaper, which explores the prevalence of client-side JavaScript vulnerabilities such as DOM-based XSS, in real world web applications. For this research, we used a new IBM technology... Continue reading
Posted Nov 22, 2010 at IBM Application Security Insider
Comment
0
Just a quick fact correction -
Quote: "When the WAF market started, PCI was the biggest driver and WAFs were seen as a “checklist technology.”"
PCI DSS was first released in December 2004, while the first WAF (AppShield) was released in 1998.
Imperva Perspective: Trustwave Buys Breach Security
Trustwave Jumps In Trustwave joins the ranks of F5, Citrix, Cisco and more who now want a piece the Web Application Firewall market. When the WAF market started, PCI was the biggest driver and WAFs were seen as a “checklist technology.” Today, WAFs are strategic. As one of our customers...
Cross-Site Scripting through Flash in Gmail Based Services
Background I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative. Technical Details... Continue reading
Posted Mar 23, 2010 at IBM Application Security Insider
Comment
7
AppSecInsider is now following The Typepad Team
Mar 15, 2010
Why Your Static Analysis Scanner Should Use String Analysis
I just read an awesome blog post at “Schmoilitos Way”, that describes a scenario, in which, someone ran a static analysis tool, found a vulnerability, patched it using a faulty input validation routine, and then re-ran the scan, this time... Continue reading
Posted Nov 17, 2009 at IBM Application Security Insider
Comment
1
More...
Subscribe to AppSecInsider’s Recent Activity