Thursday, December 21, 2006
Top Ten Overview
The following list summarizes the OWASP Top Ten. However, we strongly recommend reading the full report, as each area covers quite a lot of ground.
Commentary
Introduction
Background
Updates
A1 Unvalidated Input
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.
A2 Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
A3 Broken Authentication and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
A4 Cross Site Scripting
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user.
A5 Buffer Overflow
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6 Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7 Improper Error Handling
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8 Insecure Storage
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9 Application Denial of Service
Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
A10 Insecure Configuration Management
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
Conclusion
The following list summarizes the OWASP Top Ten. However, we strongly recommend reading the full report, as each area covers quite a lot of ground.
Commentary
Introduction
Background
Updates
A1 Unvalidated Input
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application.
A2 Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
A3 Broken Authentication and Session Management
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
A4 Cross Site Scripting
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user.
A5 Buffer Overflow
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.
A6 Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
A7 Improper Error Handling
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
A8 Insecure Storage
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
A9 Application Denial of Service
Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
A10 Insecure Configuration Management
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.
Conclusion
Tuesday, December 19, 2006
http://www.realclearpolitics.com/articles/2006/12/duke_case_the_worst_worsens.html
--------------------------------------------------------------------------------
December 19, 2006
Duke Case: The Worst Worsens
By Thomas Sowell
In his book "The Great Crash 1929," John Kenneth Galbraith said: "The worst continued to worsen." The same can be said of the Duke University "rape" case and District Attorney Michael Nifong.
After all this time, it finally came out in court last week that the DNA samples collected from the underwear and private parts of the alleged victim contained DNA from other men -- but none from the Duke lacrosse players who were accused of raping her.
The head of the DNA testing laboratory testified in court under oath that both he and Nifong knew this and kept it secret.
You think that is incredible? How about a statement made afterwards by District Attorney Nifong that he didn't say anything about this publicly because he was "trying to avoid dragging any names through the mud"?
He certainly did not avoid dragging the names of the Duke lacrosse players through the mud. He not only denounced them, they were paraded in handcuffs in front of the national media. Their pictures were on every television news program across the country.
If these young men get completely exonerated, this episode will still follow them the rest of their lives. Yet they have not been convicted of anything and have not even gone to trial -- which is scheduled for next spring, if it ever takes place.
Indeed, they have not even been interviewed by the police or by the District Attorney who issued denunciations of these white lacrosse players when he was running for office and making a play for the black vote.
Nor has the District Attorney interviewed the woman who claimed to have been raped. In a "he said, she said" situation, anyone interested in the credibility of the two sides would at least have tried to find out what specifically they claimed.
But that is only if you care about the truth, rather than the politics of the situation. Politically, the District Attorney had a black woman who claimed that white men had raped her. That's all he needed to get elected.
Nifong has shown from day one what he was interested in. Showing the "rape" victim only photographs of white Duke lacrosse players was a violation of the basic principles of a lineup.
People who are known to be innocent are included in lineups just to test the credibility of whoever is identifying those picked out as guilty.
If you pick out somebody who was known to be overseas at the time, there goes your credibility. But District Attorney Nifong was not about to risk having the accuser's credibility tested, and certainly not before his election.
All the evidence that has come out has pointed the other way. One of the alleged rapists has a paper trail that shows he wasn't even there when he was supposed to be raping the "exotic dancer."
A black cab driver says he was with him, going to a bank's ATM to get some money -- and bank records show him there at the time when he was supposed to be committing rape.
When confronted with the fact that DNA tests failed to show that any of the Duke lacrosse players' DNA was present on the "exotic dancer," Nifong said that they could have used condoms.
Every part of your body has DNA that is left wherever you have had bodily contact. When you shake someone's hand, you leave your DNA. Each Duke student would have to have had a giant condom covering his whole body to avoid leaving DNA on someone he raped.
Far more is involved in this case than the misdeeds of one District Attorney. There is a segment of the black community -- a small segment, we can hope -- that figures it is payback time for all the black men who have been railroaded to jail on trumped-up charges involving the rape of white women.
The local branch of the NAACP, an organization which fought against such injustices in times past, has thrown its weight behind those who are trying to railroad three white students, who were not even born when these other injustices occurred.
Winston Churchill once said, "If the past sits in judgment on the present, the future will be lost." Nowhere is that more true than when dealing with the explosive mixture of race and politics.
Nifong deserves to be removed from office and disbarred. If he gets away with all this, it will be a blank check for every prosecutor in the country to abuse the powers of the office.
Copyright 2006 Creators Syndicate
--------------------------------------------------------------------------------
December 19, 2006
Duke Case: The Worst Worsens
By Thomas Sowell
In his book "The Great Crash 1929," John Kenneth Galbraith said: "The worst continued to worsen." The same can be said of the Duke University "rape" case and District Attorney Michael Nifong.
After all this time, it finally came out in court last week that the DNA samples collected from the underwear and private parts of the alleged victim contained DNA from other men -- but none from the Duke lacrosse players who were accused of raping her.
The head of the DNA testing laboratory testified in court under oath that both he and Nifong knew this and kept it secret.
You think that is incredible? How about a statement made afterwards by District Attorney Nifong that he didn't say anything about this publicly because he was "trying to avoid dragging any names through the mud"?
He certainly did not avoid dragging the names of the Duke lacrosse players through the mud. He not only denounced them, they were paraded in handcuffs in front of the national media. Their pictures were on every television news program across the country.
If these young men get completely exonerated, this episode will still follow them the rest of their lives. Yet they have not been convicted of anything and have not even gone to trial -- which is scheduled for next spring, if it ever takes place.
Indeed, they have not even been interviewed by the police or by the District Attorney who issued denunciations of these white lacrosse players when he was running for office and making a play for the black vote.
Nor has the District Attorney interviewed the woman who claimed to have been raped. In a "he said, she said" situation, anyone interested in the credibility of the two sides would at least have tried to find out what specifically they claimed.
But that is only if you care about the truth, rather than the politics of the situation. Politically, the District Attorney had a black woman who claimed that white men had raped her. That's all he needed to get elected.
Nifong has shown from day one what he was interested in. Showing the "rape" victim only photographs of white Duke lacrosse players was a violation of the basic principles of a lineup.
People who are known to be innocent are included in lineups just to test the credibility of whoever is identifying those picked out as guilty.
If you pick out somebody who was known to be overseas at the time, there goes your credibility. But District Attorney Nifong was not about to risk having the accuser's credibility tested, and certainly not before his election.
All the evidence that has come out has pointed the other way. One of the alleged rapists has a paper trail that shows he wasn't even there when he was supposed to be raping the "exotic dancer."
A black cab driver says he was with him, going to a bank's ATM to get some money -- and bank records show him there at the time when he was supposed to be committing rape.
When confronted with the fact that DNA tests failed to show that any of the Duke lacrosse players' DNA was present on the "exotic dancer," Nifong said that they could have used condoms.
Every part of your body has DNA that is left wherever you have had bodily contact. When you shake someone's hand, you leave your DNA. Each Duke student would have to have had a giant condom covering his whole body to avoid leaving DNA on someone he raped.
Far more is involved in this case than the misdeeds of one District Attorney. There is a segment of the black community -- a small segment, we can hope -- that figures it is payback time for all the black men who have been railroaded to jail on trumped-up charges involving the rape of white women.
The local branch of the NAACP, an organization which fought against such injustices in times past, has thrown its weight behind those who are trying to railroad three white students, who were not even born when these other injustices occurred.
Winston Churchill once said, "If the past sits in judgment on the present, the future will be lost." Nowhere is that more true than when dealing with the explosive mixture of race and politics.
Nifong deserves to be removed from office and disbarred. If he gets away with all this, it will be a blank check for every prosecutor in the country to abuse the powers of the office.
Copyright 2006 Creators Syndicate
Tuesday, December 05, 2006
Bad apples and public schools
By Terence Jeffrey
Wednesday, November 29, 2006
Suppose there were a law that forced you to pay a government agency for apples you were supposed to feed your children.
The government didn't care if you grew your own apples or if your neighbor grew apples you liked better than the government's brand -- the law compelled you to pay for the state's product whether you wanted it for your children or not.
Children sit in their classroom on their first day of school for six months since teachers went on strike over pay sparking a conflict which turned into a major social crisis in Oaxaca's capital November 16, 2006 REUTERS/Stringer (MEXICO)
Now, suppose many people who actually fed their children public apples discovered something wrong with them. Some apples were bitter, others mushy and others rotten to the core.
When they complained to the public-apple agencies, agency bureaucrats and their union would say: "Excuse me, the bad apples are not our fault. You need to give us more money so we can build better apple storage facilities, and so we can pay better wages to apple handlers."
So the government forced everybody to pay more for its apples.
Now, the public-apple agencies built beautiful new apple storage facilities. They paid their apple handlers handsomely. Still, a disturbing number of apples remained bitter, mushy or rotten to the core.
In the face of new complaints, the bureaucrats and their union declared, "We need a federal Department of Apples."
Conservatives fruitlessly argued that the Constitution does not authorize a federal Department of Apples. Congress created one anyway. The new DOA spent vast sums paying its own bureaucrats and subsidizing local government apple agencies. Still, many public apples remained bitter, mushy or rotten to the core.
A "compassionate conservative" -- N.B. a "big government conservative" -- was elected president. He advocated giving even more federal aid to local public-apple agencies in exchange for a federal "apple accountability" program. Under the program, states were required to test their apples every year, with the goal that after 13 years every public apple would be good enough to eat.
After several years, the tests showed almost no improvement in public apples. Apple agency bureaucrats and their union representatives complained that the apple-accountability standards were unrealistic. So the secretary of apples relaxed the standards, and the compassionate conservative president called on Congress to reauthorize the program.
The public apple in this parable, of course, is public education -- which is indeed rotten in many places.
If there is one thing the Department of Education does well, it is collect statistics about schools. According to its National Center for Education Statistics, Americans in recent decades paid for a massive increase in spending on government schools. Between the 1970 and 2002 school years, average per-pupil spending in public elementary and secondary schools rose 111 percent, from $4,170 (in constant 2001-2002 dollars) to $8,802.
From just 1990 to 2003, average per-pupil spending increased 25 percent, from $7,692 (in constant 2003-2004 dollars) to 9,644.
This big run-up in spending did not cause a big run-up in student performance.
Since the early 1990s, NCES has periodically administered National Assessment of Educational Progress tests to a sampling of elementary school students. The tests are graded on a scale of zero to 500, and students are anonymously assigned an achievement level of "below basic," "basic," "proficient" or "advanced." "Basic" means the student had only a "partial mastery" of the subject appropriate for the grade level.
NAEP reading scores for eighth-grade public school students remained essentially static between 1998 and 2005. In 1998, eighth-graders averaged a score of 261 out of 500 in reading. In 2005, they averaged 260. Only 29 percent were rated grade-level "proficient" or better.
In other words, 71 percent rated less than proficient in reading.
Math results were a little better. Between 1990 and 2005, the average eighth-grade score rose from 262 to 278. Again, only 29 percent were rated grade-level proficient or better.
In other words, 71 percent rated less than proficient in math.
Private schools did better. The 2005 NAEP tests rated students in Catholic and Lutheran schools. Forty-nine percent of eighth-graders in both rated "proficient" or better in reading. Forty-four percent of eighth-graders in Lutheran schools, and 40 percent in Catholic schools, rated "proficient" or better in math.
Increasing per pupil spending by another 111 percent -- whether it is done by compassionate conservatives in Washington, D.C., or plain old liberals in your home state -- will not fix public schools.
It's time to give all American parents vouchers equal to the per-pupil spending in local government schools. Then parents can decide whether the government schools deserve their children -- or whether they will try the apples elsewhere, thank you.
By Terence Jeffrey
Wednesday, November 29, 2006
Suppose there were a law that forced you to pay a government agency for apples you were supposed to feed your children.
The government didn't care if you grew your own apples or if your neighbor grew apples you liked better than the government's brand -- the law compelled you to pay for the state's product whether you wanted it for your children or not.
Children sit in their classroom on their first day of school for six months since teachers went on strike over pay sparking a conflict which turned into a major social crisis in Oaxaca's capital November 16, 2006 REUTERS/Stringer (MEXICO)
Now, suppose many people who actually fed their children public apples discovered something wrong with them. Some apples were bitter, others mushy and others rotten to the core.
When they complained to the public-apple agencies, agency bureaucrats and their union would say: "Excuse me, the bad apples are not our fault. You need to give us more money so we can build better apple storage facilities, and so we can pay better wages to apple handlers."
So the government forced everybody to pay more for its apples.
Now, the public-apple agencies built beautiful new apple storage facilities. They paid their apple handlers handsomely. Still, a disturbing number of apples remained bitter, mushy or rotten to the core.
In the face of new complaints, the bureaucrats and their union declared, "We need a federal Department of Apples."
Conservatives fruitlessly argued that the Constitution does not authorize a federal Department of Apples. Congress created one anyway. The new DOA spent vast sums paying its own bureaucrats and subsidizing local government apple agencies. Still, many public apples remained bitter, mushy or rotten to the core.
A "compassionate conservative" -- N.B. a "big government conservative" -- was elected president. He advocated giving even more federal aid to local public-apple agencies in exchange for a federal "apple accountability" program. Under the program, states were required to test their apples every year, with the goal that after 13 years every public apple would be good enough to eat.
After several years, the tests showed almost no improvement in public apples. Apple agency bureaucrats and their union representatives complained that the apple-accountability standards were unrealistic. So the secretary of apples relaxed the standards, and the compassionate conservative president called on Congress to reauthorize the program.
The public apple in this parable, of course, is public education -- which is indeed rotten in many places.
If there is one thing the Department of Education does well, it is collect statistics about schools. According to its National Center for Education Statistics, Americans in recent decades paid for a massive increase in spending on government schools. Between the 1970 and 2002 school years, average per-pupil spending in public elementary and secondary schools rose 111 percent, from $4,170 (in constant 2001-2002 dollars) to $8,802.
From just 1990 to 2003, average per-pupil spending increased 25 percent, from $7,692 (in constant 2003-2004 dollars) to 9,644.
This big run-up in spending did not cause a big run-up in student performance.
Since the early 1990s, NCES has periodically administered National Assessment of Educational Progress tests to a sampling of elementary school students. The tests are graded on a scale of zero to 500, and students are anonymously assigned an achievement level of "below basic," "basic," "proficient" or "advanced." "Basic" means the student had only a "partial mastery" of the subject appropriate for the grade level.
NAEP reading scores for eighth-grade public school students remained essentially static between 1998 and 2005. In 1998, eighth-graders averaged a score of 261 out of 500 in reading. In 2005, they averaged 260. Only 29 percent were rated grade-level "proficient" or better.
In other words, 71 percent rated less than proficient in reading.
Math results were a little better. Between 1990 and 2005, the average eighth-grade score rose from 262 to 278. Again, only 29 percent were rated grade-level proficient or better.
In other words, 71 percent rated less than proficient in math.
Private schools did better. The 2005 NAEP tests rated students in Catholic and Lutheran schools. Forty-nine percent of eighth-graders in both rated "proficient" or better in reading. Forty-four percent of eighth-graders in Lutheran schools, and 40 percent in Catholic schools, rated "proficient" or better in math.
Increasing per pupil spending by another 111 percent -- whether it is done by compassionate conservatives in Washington, D.C., or plain old liberals in your home state -- will not fix public schools.
It's time to give all American parents vouchers equal to the per-pupil spending in local government schools. Then parents can decide whether the government schools deserve their children -- or whether they will try the apples elsewhere, thank you.
Subscribe to:
Posts (Atom)