Featuring 23 Papers as of June 14, 2013
Web Application Injection Vulnerabilities: A Web App's Security Nemesis?
Erik Couture - June 14, 2013
An ever-increasing number of high profile data breaches have plagued organizations over the past decade.
Which Disney© Princess are YOU?
Joshua Brower - March 18, 2010
Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnairesbe it a knock on the door to answer a survey for a census worker, or a harmless quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
Secure Authentication on the Internet
Roger Meyer - February 1, 2008
This paper covers current Internet authentication mechanisms and possible attacks. It helps the reader to understand todays issues with authentication mechanisms. To understand the attack vectors, one has to know the current attack trends. Authentication systems can be classified according to their resistance against common attacks. Ten different authentication systems will be introduced and classified accordingly.
Software Engineering - Security as a Process in the SDLC
Nithin Haridas - August 7, 2007
Most of the Application developers align to the Software Engineering Principles that follow through a standardized SDLC phases, but never consider or have a disciplined process to address the factor called Security in any of the phases. Does authentication and authorization mechanism (like Login and Password) on applications make them secure? Do these security considerations on developed application help them to address security in its entirety? Security attacks at the application layer have made the organizations realize the fact that security needs to be considered at the same priority as its functionality. This paper explains about how Security as a process can be incorporated or identified in the Software Engineering principles1 (SDLC phases) and how Organizations can leverage upon considering Security as an effective process within the existing development framework.
How to Avoid Information Disclosure when Managing Windows with WMI
Alex Timkov - July 17, 2007
This paper provides an introduction to accessing Windows via WMI in a secure manner.
Threat Modeling: A Process To Ensure Application Security
Steven Burns - October 5, 2005
Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application.
A Proactive Approach Toinformation Security
Sandeep Gupta - July 24, 2004
Some software vendors already endeavor to deliver software systems that provide Confidentiality, Integrity, and Availability of a customer's software, hardware, and data assets.
Defeating Overflow Attacks
Jason Deckard - June 9, 2004
Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from an attack.
A Security Checklist for Web Application Design
Gail Bayse - May 2, 2004
Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation.
A Tour of TOCTTOUs
Craig Lowery - October 31, 2003
This paper characterizes this particular category of security vulnerabilities, describes various types of TOCTTOUs and particular situations in which they have arisen historically, and presents a short set of guidelines for reducing or eliminating these flaws.
Insecurity of Inputs to CGI Program
Suhairi Jawi - October 31, 2003
This paper is to list some points that each web programmer has to consider while coding a web based application that interacts with user inputs through CGI as well as tools that can be used to test it.
The Security Challenges of Offshore Development
Rob Ramer - October 31, 2003
This paper will attempt to take a small step in raising the security community's awareness of growing security risks related to off-shore development by examining some of the issues and potential threats.
Improving Software Security During Development
Robert Usher - October 31, 2003
This paper will explore the basis for creating secure software and systems during development.
Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention
Mark Donaldson - October 31, 2003
The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".
Security Techniques for Mobile Code
Nathan Macrides - October 31, 2003
This paper discusses the various techniques and trust models needed to enforce a level of security that prevents malicious mobile code from infiltrating and running on an unsuspecting users system.
Securely Programming in C
Sayed Ahmed - October 31, 2003
This paper will discuss what I feel are the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows too.
Secure Software Development and Code Analysis Tools
Thien La - October 31, 2003
The first half of this document discusses secure coding techniques and the latter section contains the results of the research and tests conducted on some freely available source code analysis tools.
Designing Secure Solutions with .NET
Bill Ferreira - October 31, 2003
Writing secure code and knowing how the environment impacts security is important to designing secure software.
XML Web Services Security and Web based Application Security
Chris Kwabi - October 31, 2003
This paper provides high-level insights into how to create secure distributed, language neutral, platform independent web based applications using XML Web Services.
A Web Developer's Guide to Cross-Site Scripting
Steven Cook - October 31, 2003
This paper describes how cross-site scripting works and what makes an application vulnerable, along with suggestions for developers about tools for discovering cross-site scripting vulnerabilities in their applications and recommended practices for creating applications that are less vulnerable to the attack and more resilient against successful cross-site scripting attacks.
Web Application Security - Layers of Protection
William Fredholm - February 10, 2003
This paper reviews some of the large number of resources available for creating secure Web applications.
The Intrinsic Hole In Information Security
Douglas Gaer - August 15, 2002
The lack of type safety in the C program crates a massive hole in information security.
SQL Injection: Modes of Attack, Defence, and Why It Matters
Stuart McDonald - July 18, 2002
A look at some of the methods available to a SQL injection attacker and how they are best defended against
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.