Web Application Security Consortium Announced
A new organisation has just been announced: the Web Application Security Consortium. The consortium, formed by leading web security companies (Application Security, KaVaDo, Sanctum, SPI Dynamics, Inc. and WhiteHat Security) aims to establish web application security standards, and the terminology (full press release). A Web Security Glossary has already been published.
Paper on passive information gathering
TechicalInfo.Net is an excellent resource for Web Security information. Gunter Ollmann has provided a set of great papers, observations, and links to information gathering tools available on the Internet. The latest addition to this collection is a Passive Information Gathering paper. In the paper he summarizes the techniques many seasoned security professionals use every day, in a tutorial-style, step-by-step document. It is a great read, even if you do use these techniques every day (it is guaranteed that you will learn something new).
AVDL Committee Draft is out
This morning I got news of AVDL becoming a Committee Draft; you can get it here. AVDL (Application Vulnerability Desciription Language) wants to establish a standard communication protocol between entities with different roles, involved in application vulnerability discovery, management, and protection. Web security scanner tools we have today do a good job with shiny reports but AVDL is aiming to have those results fed automatically into your security management system. What you do from there is your problem. However, while your overworked employees are trying to find the time to fix the problem, you can have an automated protection tool (such as mod_security) protect the vulnerable application automatically.
JIRA license for ModSecurity
I am very happy to announce that I've been granted a free JIRA license to use with ModSecurity! I am grateful to SourceForge for their facilities but, face it, the quality is not that good. Also, since recently I am using JIRA at work, and once you get to used to it - there is no turning back! Many thanks to people at Atlassian for their help. Now I need to learn how to install it :)
Free Apache hardening utility
Syhunt, a security tool company from Brazil, have released a free Apache configuration hardening utility. The utility feeds on Apache or PHP configuration files, and gives warnings and suggestions how to make the configuration more secure. I especially like the fact that they advise people to install and use mod_security :)