SEARCH RESULTS
 
Showing 1-10 of 69 records
 
Expand article

PrincipalPermissionAttribute and Static ctor Leads to DoS

2007-12-03 09:03:00 by Keith Brown in Security Briefs
 
...static constructor (or, even worse, if it may get one in the future), realize that this attribute applies to the static constructor as well! Why is this a problem? Well, if a static constructor throws an exception, the class is latched into a mode where each future attempt to call the static constructor leads to the previous exception being...
 
Tags: class sensitive, sensitive, class, class level, static constructor, inside static constructor, class program, static constructor leads, static void
 
 
 
 
Expand article

Better exception reporting in ASP.NET part 2

2008-08-04 14:11:14 by keith-brown in Security Briefs
 
...static string GetAndRemoveStringAttribute(NameValueCollection config, string attributeName, bool required) { string value = config.Get(attributeName); if (required && string .IsNullOrEmpty( value )) throw new ConfigurationErrorsException( string .Format( "Expected attribute {0}, which is missing or empty." , attributeName));...
 
Tags: return, return subjectbuilder, return formatter, exception, formatter, crazy formatter, static void, static void emitprocessinfo, return null
 
 
 
 
Expand article

Serializable XmlDocument

The Article has images
2008-08-19 02:58:00 by keith-brown in Security Briefs
...static implicit operator SerializableXmlDocument XmlDocument doc return new SerializableXmlDocument(doc public static implicit operator XmlDocument SerializableXmlDocument sdoc return sdoc.Value endregion region Xml serialization helper methods private static byte [] Serialize(XmlDocument doc MemoryStream stream = new MemoryStream...
 
Tags: public class item, public, public void getobjectdata, public static byte, xmldocument, return doc, return, static byte, public class
 
 
 
 
Expand article

Software Security Metrics and Commentary on "Metrics Framework" Paper

2007-09-17 20:41:00 by Security Retentive in Security Retentive
 
...Static Analysis Insecure Storage PercentServersNoDiskEncryption Runtime Manual review Application Denial of Service Runtime Pen Testing Insecure Configuration Management Service Accounts with Weak Passwords Runtime Manual review I think unfortunately that this set of metrics misses the mark a little bit. I question whether pen testing for...
 
Tags: metrics, software security metrics, metrics framework, metrics miss, design-time metric, design, upstream sdl metrics, application, web application security
 
 
 
 
Expand article

Banning function calls, assurance, and retrofitting

2008-03-18 19:48:00 by Security Retentive in Security Retentive
 
...static analyzer I'm using. As it turns out there is a fine line to be drawn between what you consider best practices, what a static analyzer can find, how much context the static analyzer has, and how much manual review you really want to put up with Let me give a specific example Coverity's Prevent analyzer has a number of built-in...
 
Tags: code review experience, code, security sensitive context, context, security critical context, unsafe context, static analyzer, file defects, rand
 
 
 
 
Expand article

FUD About Ruby on Rails?

2007-08-31 08:45:00 by Security Retentive in Security Retentive
 
...static analysis tools cover Ruby I'll address both of these I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's...
 
Tags: security manager, native security manager, single java application, java, security manager policy, ruby, override java, sun access mgr, james
 
 
 
 
Expand article

Show 010 - A Panel Discussion with Fortify Softwares Technical Advisory Board

The Article has images The Article has audio podcast
2007-01-22 19:59:59 by rmacmich in The Silver Bullet Security Podcast
...static analysis tools, and software security pedagogy Participating members of the Technical Advisory Board include Bill Pugh , Professor at University of Maryland, static analysis for finding bugs Li Gong, GM at Microsoft, MSN in China Marcus Ranum , CSO of Tenable Network Security, security products trainer Avi Rubin , Professor at Johns...
 
Tags: software security, software security pedagogy, security, computer security, security products trainer, professor, static analysis tools, static analysis, tenable network security
 
 
 
 
Expand article

Securing Network Location Awareness with Authenticated DHCP

2008-03-19 12:47:02 by Steven J. Murdoch in Light Blue Touchpaper
 
...static. This results in laptop computers being configured with fairly open policies, in order to facilitate applications appropriate for a trustworthy office LAN (e.g. file and printer sharing, collaboration applications, and custom servers). When the computer is taken home or roaming, this policy leaves an excessively large attack surface...
 
Tags: network location, location, network location awareness, network, office location, dhcp, network location identifier, logical network, vista dhcp client
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...static (meaning the threats dont change much over time). Computer security is still evolving with new classes of attacks still being discovered, and while hackers understand how to exploit known types of vulnerabilities software developers are still catching up in learning how to modify engineering practices to be resilient against both new...
 
Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection