Best Practices
SAP Baseline Security Audit
by Rajesh Gopinath in October 2008
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit program and is ideal for generating a quick win early. This article outlines the areas covered under the SAP Baseline Security Audit we perform.… more →
The Payment Application Data Security Standard (PA DSS)
by Sangita Pakala in July 2008
PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard. Remember that the biggies of the credit card industry put their heads together and came up with Payment Card Industry Data Security Standard (PCI DSS). Their aim was to protect the “Cardholder’s” data. PCI DSS was first released in 2005 and then revised in October 2006. PCI DSS has a few requirements that talk about securing web applications that deal with cardholder’s data.… more →
Mobile Banking - Threats and Mitigation
by Suraj Sankaran in June 2008
In my previous article, I had explained the two common mobile banking architectures and exchange of information using one of the architectures. In this article, I’ll be explaining the threats observed and an ideal process to overcome these threats. The explanation would be based on the information exchange for the architecture discussed in my previous article. Each phase has the threats mentioned and a secure process to ensure these threats are mitigated.… more →
Phishing Questions
by Roshen Chandran in November 2006
Our series of articles on Phishing - Protection , Detection , and Incident Response evoked several questions. In this issue, we answer three of the most interesting questions we came across. Please keep the questions flowing, thank you!… more →
5 Tips for Securing Software as a Service
by Roshen Chandran in October 2006
Field notes on how best to secure “Software as a Service”(SaaS). We ran into 12 SaaS apps last quarter - we were asked to test them. Here’re our field notes from those assignments, our favorite security tips to SaaS developers:… more →
Securely Webifying Applications
by Roshen Chandran in October 2006
We see a recurring pattern of security errors when organizations migrate their legacy applications to the web. This Executive Briefing documents the most common security mistakes we have seen in the last 5 years.… more →
Securing IIS Web Servers
by Siddharth Anbalahan in September 2006
In our previous article we showed how to securely deploy one of the most popular web servers, i.e. Apache web server. In this article we cover how we can secure the IIS 6.0 web server. Microsoft’s initiative towards security, Trustworthy Computing, is based on four pillars as defined by Microsoft:… more →
Are Complex Passwords Really Necessary?
by Roshen Chandran in August 2006
Why it’s silly to enforce passwords like “2@$Rw0rd~” in web applications. Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.… more →
Securing Apache Web Servers
by Siddharth Anbalahan in July 2006
According to Dr. Johannes Ullrich, CTO of the SANS Institute’s Internet Storm Center, "web application attacks account for a significant portion of hacking activities across the Internet." Securing web servers is an important step towards preventing some of the most common application layer attacks. Netcraft Web Server Survey, June 2006 recorded that Apache is the leading web server in the market with a market share of 61.25%. In this first part of the two part series, we will look at some of the general secure configuration settings of Apache web server.… more →
Thick Client Application Security - Defenses
by Balaji V in May 2006
In the first article in this series, we saw the various attacks on two-tier thick client applications. This part will discuss about the defense mechanisms available to tackle those attacks.… more →
Pharming on the Net
by Nilesh Chaudhari in March 2006
You must be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking emails and manage to usurp money or personal information from unsuspecting customers with reasonable success. Pharming is phishing on steroids.… more →
Implementing Password Recovery
by Deepu Thomas Philip in January 2006
Password recovery is a process which becomes necessary when a genuine application user is unable to authenticate due to lost or forgotten passwords. We look at the various challenges in a secure password recovery implementation.… more →
Interviewing software developers
by Shaheem Motlekar in November 2005
When do you get secure software? When your developers know how to write secure software. That is a no-brainer; yet how often have you quizzed your developers on application security while recruiting them? We present some questions to ask in your next interview in this article… more →
Encrypting data in Databases
by Priyali Vibhute in June 2005
Organizations take a lot of steps to protect their confidential data. Almost all security measures including encryption are considered only while transferring information on the wire not while storing it in the database. More often than not, it is stored as clear text in the database. In this article we see how database encrytion can enhance the security of our data. … more →
Selecting Application Security Vendors
by Jose Varghese in March 2005
Traditional security has always been focused on perimeter defense. With most of the organizations having strengthened their perimeters with Firewall, VPN and intrusion detection systems, attackers have shifted their focus to the application layer. Most of these attacks are far more damaging that network layer attacks and primarily focus on the weaknesses in the application like poor input validation; insecure sessions management etc. For effective security, it is important for the enterprise to ensure that all business applications are tested for security as rigorously as they are tested for functionality and performance before they are deployed in production… more →
Best Practices in Input Validation
in December 2004
Last week, I polled our consultants on the most common software security errors they saw in 2004. Consultants from across our offices pointed out how simple input validation errors continue to be the #1 problem they see daily. This is really not a new problem; it’s just been a difficult one. I asked them for their list of best practices for validating inputs the top 10 recommendations they have been making to clients on input validation. Here’s the list they came up with… more →
Catch'em Young - How to discover vulnerabilities early
by Roshen Chandran in November 2004
Bugs are introduced at every stage in the development lifecycle. Some of them are caught quickly in the same stage itself. However, many are caught only much later. Here’re the systems we find to be most effective to address security bugs… more →
Application Logs - Security Best Practices
by Dipesh Rawal in October 2004
Security logs capture the security-related events within an application. They help detect security violations and flaws in application, and help re-construct user activities for forensic analysis. Short listing the events to log and the level of detail are key challenges in designing the logging system. This article simplifies the selection by presenting the options that many critical applications chose… more →
Controls for Outsourcing Software Development
by Giridhar T M in October 2004
When you outsource software development, how do you ensure that security has been adequately addressed by the vendor? In this article we look at the controls that you need to be put in place over the vendor regarding the various stages of the development lifecycle… more →
Training your Developers
by Shaheem Motlekar in September 2004
The most effective way to secure applications is by writing them securely; and the best way to achieve this is by training your development team to write safer applications. This article presents the key components of a security program for your development team… more →
Security at Software Requirements Specification
by Roshen Chandran in August 2004
Applications designed with security in mind are safer than those here security is an afterthought. Traditionally security issues are first considered during the Design phase of the Software Development Life Cycle (SDLC) once the Software Requirements Specification (SRS) has been frozen. That’s one stage too late.… more →
Authentication - Security Best Practices
by Roshen Chandran in July 2004
Authentication modules are the most exploited pieces in a web application. We look at ten good practices that ensure your authentication system is safe against an attack… more →