Featuring 26 Papers as of June 17, 2014
Survey on Application Security Programs and Practices
by Jim Bird, Frank Kim - February 12, 2014
- Associated Webcasts: Application Security Programs On the Rise, Skills Lacking: A SANS Survey
- Sponsored By: Qualys Hewlett Packard Veracode
Survey shows application security programs on the rise but skill are lacking.
Application Security: Tools for Getting Management Support and Funding
by John Pescatore - October 4, 2013
- Associated Webcasts: John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security
- Sponsored By: WhiteHat Security
This paper provide tools and techniques that demonstrate the need for better application security and the appropriate level of investment.
Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
by Erik Couture - June 14, 2013
An ever-increasing number of high profile data breaches have plagued organizations over the past decade.
Which Disney© Princess are YOU?
by Joshua Brower - March 18, 2010
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
Secure Authentication on the Internet
by Roger Meyer - February 1, 2008
This paper covers current Internet authentication mechanisms and possible attacks. It helps the reader to understand todays issues with authentication mechanisms. To understand the attack vectors, one has to know the current attack trends. Authentication systems can be classified according to their resistance against common attacks. Ten different authentication systems will be introduced and classified accordingly.
Software Engineering - Security as a Process in the SDLC
by Nithin Haridas - August 7, 2007
Most of the Application developers align to the Software Engineering Principles that follow through a standardized SDLC phases, but never consider or have a disciplined process to address the factor called Security in any of the phases. Does authentication and authorization mechanism (like Login and Password) on applications make them secure? Do these security considerations on developed application help them to address security in its entirety? Security attacks at the application layer have made the organizations realize the fact that security needs to be considered at the same priority as its functionality. This paper explains about how Security as a process can be incorporated or identified in the Software Engineering principles1 (SDLC phases) and how Organizations can leverage upon considering Security as an effective process within the existing development framework.
How to Avoid Information Disclosure when Managing Windows with WMI
by Alex Timkov - July 17, 2007
This paper provides an introduction to accessing Windows via WMI in a secure manner.
PowerBroker vs. Sudo
by Jerry Shenk, Steve Mancini - February 17, 2006
- Sponsored By: Symark Software
This paper will explore the places where PowerBroker's capabilities exceed sudo's capabilities and help companies determine where the implementation of PowerBroker will enhance their security posture.
Threat Modeling: A Process To Ensure Application Security
by Steven Burns - October 5, 2005
Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.
A Proactive Approach Toinformation Security
by Sandeep Gupta - July 24, 2004
Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.
Defeating Overflow Attacks
by Jason Deckard - June 9, 2004
Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.
A Security Checklist for Web Application Design
by Gail Bayse - May 2, 2004
Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.
XML Web Services Security and Web based Application Security
by Chris Kwabi - September 9, 2003
This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.
A Tour of TOCTTOUs
by Craig Lowery - May 23, 2003
This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.
A Web Developer's Guide to Cross-Site Scripting
by Steven Cook - February 11, 2003
This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.
Web Application Security - Layers of Protection
by William Fredholm - February 10, 2003
This paper reviews some of the large number of resources available for creating secure Web applications.
Designing Secure Solutions with .NET
by Bill Ferreira - November 11, 2002
Writing secure code and knowing how the environment impacts security is important to designing secure software.
Secure Software Development and Code Analysis Tools
by Thien La - September 30, 2002
The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.
Securely Programming in C
by Sayed Ahmed - September 24, 2002
This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.
The Intrinsic Hole In Information Security
by Douglas Gaer - August 15, 2002
The lack of type safety in the C program crates a massive hole in information security.
SQL Injection: Modes of Attack, Defence, and Why It Matters
by Stuart McDonald - July 18, 2002
A look at some of the methods available to a SQL injection attacker and how they are best defended against
Security Techniques for Mobile Code
by Nathan Macrides - July 11, 2002
This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.
Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention
by Mark Donaldson - April 3, 2002
The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".
Improving Software Security During Development
by Robert Usher - March 26, 2002
This paper will explore the basis for creating secure software and systems during development.
The Security Challenges of Offshore Development
by Rob Ramer - September 26, 2001
This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.
Insecurity of Inputs to CGI Program
by Suhairi Jawi - September 19, 2001
This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.