Features
Understanding Encryption Requirements of PCIDSS
by Hrishikesh Sivanandhan in June 2009
At information security conferences, there are heated discussions on the difficulties faced by the merchants/service providers in complying with the encryption requirement of PCIDSS. Inability to comply with the requirements often lead the vendor to seek refuge under the section called “Compensatory Control”. As compensatory controls are subject to the interpretation of the assessors and the vendor, adversaries are making the most of this situation by exploiting the loopholes left behind while implementing these workarounds.… more →
Log Monitoring and Malware Scanning: Stay Ahead of the Threat Curve
by Sachin Varghese in April 2009
As a reader of Palisade, you most likely care about security. You have in all probability trained your developers, tested your applications and networks, reviewed your network architecture, and brought patch management under control. What next? How can you continue to stay ahead of the Threat curve?… more →
Measuring the Value of Remote Application Security Testing
by Paresh Amin in February 2009
It sometimes takes a major application security breach to get us fired up to test our applications. The recent breach at Hannaford Bros. is a good example where attackers managed to steal up to 4.2 million credit card and debit card numbers. It pays to be proactive when doing application security testing. Measuring the value of application and network security testing is the first step as what is measured can be improved. [Disclosure: Paladion/Plynt provides remote application security testing.]… more →
Database Links Security
by Roshen Chandran in October 2008
Database links (DBLinks in Oracle) are a technique for one database to connect to a remote database and execute queries. The originating database uses an account in the remote destination database to connect. This connection thus uses a username and password of an account in the destination database. The connection has the privileges of the account that’s used in the destination database.… more →
Defend against Reverse Engineering
by Roshen Chandran in July 2008
Software reverse engineering is the technique of getting the original source code from the binary. Competitors might use reverse engineering to figure out how you implemented that cool feature. Crackers might use it to see how they can bypass your license policy. Game cheats use reverse engineering, well, to cheat.… more →
URL Redirection Flaw
by Sourabh Saxena in June 2008
Harry gets an email from his bank stating that he has received some promotion offers so he should click on the link below to avail those offers. Harry ensures that the site is authentic by checking the name of his bank in the URL as he is aware of phishing attacks. He finds it to be a genuine URL of the bank, so he clicks the link. On clicking the link the login page of his bank is displayed to him. He enters his username and password on the login page. He gets an error page saying “The server is unable to process your request”.… more →
Virtualization – the promised land?
by Arvind Doraiswamy in June 2007
Someone somewhere is still getting compromised after investing a lot in security. Now there’s something called ‘virtualization’ which seems to be some kind of a promised land – a ‘solution’ to all these security problems. It’s being adopted rapidly across multiple organizations just because its ‘secure’. So what is virtualization? Why is it such a craze? Is it really that secure? Is there no way to compromise it? Are we finally 100% safe? A lot of pertinent questions there – let’s try and answer them, shall we?… more →
Mobile Banking Architecture
by Suraj Sankaran in May 2007
This two-part series on mobile banking security will help Bank security officers and auditors understand the security threats in Mobile banking. Here, I will present two popular mobile banking architectures and dive into the exchange of messages between the components. Next month, we will look at the threats inherent in this architecture and how to mitigate them.… more →
Back to Basics: Http Essentials
by Jose Varghese in December 2006
In this article series, we will refresh through some of the basic concepts in HTTP. The first part of the series provides answers to a few questions on caching. It primarily addresses questions like what is stored in a cache, how is it stored and how to control their behaviour.… more →
Smart Questions for Customer Reference Checks
by Roshen Chandran in November 2006
Customer reference checks are a powerful tool to select an application security testing vendor right for you. We compiled astute questions we’ve come across in the last 6 years.… more →
HTTP Request Smuggling
by Prashant Gawade in September 2006
With the advent of HTTP-aware firewalls, IPSs, a lot of developers relax a little bit on strengthening the security of an application. Application firewalls are able to lock out most of the automated attacks on websites. However a new attack vector has been discovered which can bypass application firewalls too. HTTP request smuggling allows an attacker to send malicious requests across proxies and firewalls to the web server. Let’s have a short description of the attack techinique.… more →
Session Riding Attacks
by Balaji V in August 2006
A session riding attack (also called a Cross Site Request Forging attack) is a technique to spoof requests on behalf of other users. It lets adversaries spoof online transactions, modify user details, siphon off funds. And that’s only the beginning. In this article, we show how the attack works and the defenses we need to put in place. The key to understanding session riding is Cookie-based session management - the most popular form of session management. So, let’s turn to that first.… more →
Understanding SSL VPN
by Bhaven Haria in July 2006
What if you are sitting in a hotel room, hundreds of miles away from your office and you need to access the intranet portal of your company? One of the solutions is to publish this portal on the web, so that all employees can access it from anywhere. Publishing all these applications directly on the web can expose the company to multiple security risks as they become accessible to everyone on the Internet. The most common practice adopted by enterprises in such a scenario is to use a VPN. In this article, we will discuss the working of SSL VPN, its key advantages and few concerns about it.… more →
The reign of bots
by Sam Varughese in June 2006
I have often wondered how attackers get enough systems to mount Distributed Denial of Service attacks. How do they manage to time and control these attacks? In a typical Distributed Denial of Service (DDoS) attack, thousands of systems attack a victim and take it offline. Attackers first compromise a large number of machines and then setup backdoors on them. The backdoors listen for commands from their masters - they perform a coordinated attack at their master’s bidding. This network of compromised systems, working under a central command is called a ‘botnet’… more →
Pharming on the Net
by Nilesh Chaudhari in March 2006
You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. Pharming is phishing on steroids.… more →
Interview: The Challenges of Security Testing
in December 2005
Palisade spoke to Vinod Vasudevan this week to understand the challenges professional penetration testing teams face. As CTO of Paladion, Vinod is responsible for the quality and effectiveness of the tests.… more →
Security Architecture for Multi-Tier Applications
by Shaheem Motlekar in October 2005
The advent of the Internet has seen the introduction of multi-tier applications. Nowadays, multi-tier applications have become the norm for building enterprise software. The most common breakdown of a tiered application would be – Presentation, Business Logic and Data. Although there are other possibilities, we shall consider this breakdown for today’s discussion.… more →
Interview: What works in Training Security Testers
in June 2005
As software organizations figure out how to integrate security testing into the QA process, Palisade talked to Firosh Ummer to learn how he set up the internal training program for security testers at Paladion. With participants from the training program going on to test over 300 applications in the last 3 years, Firosh has been continuously refining the program to make it more effective.… more →
Datamonitor Survey on Software Security Testing
by Sangita Pakala in May 2005
In late 2004, Paladion commissioned Datamonitor to study the security testing trends among 68 ISVs. Here we present the results of the survey and share the white paper with you.… more →
All About Steganography
by Sonali Gupta in April 2005
An innocent looking picture contains a lot of secret information. Is it possible? Steganography makes it possible. Find out more about this technique of hidden communication… more →
Web Application Honeypots
in April 2005
One active way of understanding attacks is by inviting attackers. Vulnerable applications that are setup to invite attackers are honeypots. These enable us to examine different attack techniques used. Read on to learn more about application honeypots … more →
Built-in Intrusion Detection
in March 2005
We’ve emphasized how to improve our applications’ defenses in the pages of Palisade. Most of these have focused on building stronger defenses to prevent breaches. Today we look at ways to improve the monitoring capabilities in our applications… more →
Integrating Smart Cards in Web Applications
by Abhishek Kumar in November 2004
Smart cards can enhance the security of many web applications — they provide a secure and mobile platform for authentication and non-repudiation. In this article we look at the problems they solve (and do not solve), and the factors to be considered in their selection… more →
Preventing Buffer Overflows
by Rajesh Jose in September 2004
Buffer overflow vulnerabilities are the result of poor input validation: they enable an attacker to run his input as code in the victim. Even when care has been taken to validate all inputs, bugs might slip through and make the application insecure. This article presents the various options available to protect against buffer overflows… more →