The Building Security In Maturity Model (BSIMM) was developed in collaboration with Cigital to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective.

http://bsimm2.com/

http://www.informit.com/articles/article.aspx?p=1332285

The Open Web Application Security Project (OWASP) released a new top 10 list at its conference in Washington, D.C.

A1 –Injection

A2 –Cross Site Scripting (XSS)

A3 –Broken Authentication and Session Management

A4 –Insecure Direct Object References

A5 –Cross Site Request Forgery (CSRF)

A6 –Security Misconfiguration(NEW)

A7 –Failure to Restrict URL Access

A8 –UnvalidatedRedirects and Forwards (NEW)

A9 –Insecure Cryptographic Storage

A10 -Insufficient Transport Layer Protection

Two new items appeared in the list, that were not in the Top 10 2007 list: Security Misconfiguration, and UnvalidatedRedirects and Forwards.  The two items that dropped out of the list are Malicious File Execution and Information Leakage and Improper Error Handling.

The list, currently in Release Candidate stage can be downloaded from the OWASP website here.

UPDATE: The final version of the OWASP Top 10 2010 has been released.

hakin9 is a magazine about hacking and IT security, covering techniques of breaking into computer systems, defence and protection methods. Our magazine is useful for all those interested in hacking – both professionals (system administrators, security specialists) and hobbyists.

hakin9 offers an in-depth look at both attack and defense techniques and concentrates on difficult technical issues.

hakin9’s target readers are those responsible for IT system security, programmers, security specialists, professional administrators, as well as people taking up security issues in their free time.

Content:

• Analyzing Malware
• Metasploit Alternate Uses for a Penetration Test
• Backdooring Frameworks
• The Real World Clickjacking
• Apple Super Drive. Set It Free
• Mapping HTTP Interface Embedded Devices
• How Does Your Benchmark of Physical Security Affect Your Environment?
• iPhone Forensics
• Safer 6.1
• Making Open Security Research Sustainable
• Interview with Raffael Marty
• Self exposure with…

http://www.hakin9.org/en

Do you ever read the license agreements that are presented when registering on a website or before you install software?  If you are like most people you probably did not.  With EULAlyzer you can scan those license agreements for keywords that might be interesting and the application will highlight these for you.

http://www.javacoolsoftware.com/eulalyzer.html

People who use Microsoft Word occasionally might find the following information usefull.  It is a guide to configure a keyboard shortcut in Microsoft Word to paste text without formatting. I use this feature quite alot myself.  Normally you have to click ‘edit’ – ‘paste special’ – ‘paste without formatting’ – ‘ok’, but this guide will simply show you how to record it as a macro and bind it to a keyboard shortcut so you can copy&paste-without-formatting with a simple keyboard shortcut.  Simple, but verry efficient!

http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=128

I found the following software useful on my search to software and tools to measure the performance and stability of web servers:

Webload

Webload is an easy to use and great piece of software to measure performance with. Its biggest limitation is its inability to perform tests over HTTP/S (at least in the free version).

http://www.webload.org

OpenSTA

OpenSTA is a free solution that can also handle HTTP/S connections. It’s less user friendly as Webload, so it will require you a little more time to get the results you want with this tool.

http://www.opensta.org/

Web Application Stress Tool

This is also a free tool, developed by Microsoft. With this tool you can also walk through a web application and run the recorded transactions again. The disadvantage of this tool is that it is not possible to configure an external proxy if this would be required for connecting to the web application you are testing. It also monitors less parameters as the other 2 tools.

Splunk is can be used to earch, navigate, alert and report on all your IT data in real time. Logs, configurations, messages, traps and alerts, script, code, metrics and more. Splunk is the perfect complement to Nagios. Nagios monitors your network for problems and Splunk helps you get to the root cause.

http://www.splunk.com/

A nice collection of networking & security monitoring tools, downloadable as bootable iso or as virtual machine images:

http://www.rawpacket.org/projects/hex

We are back online after a move to a different server!

We moved away from B-Smarthosting.net because the guys do not give any support within 2 weeks after posting a question and without sending reminders. We are now located at Stone-IS. net and are pleased until now!

BTW: The best B-Smarthosting can offer from SSL services is SSL 2.0

voipsec, infocard, cardspace, eid, ws*, saml, x-informationCard, identity management, single sign-on, Web Services Security, The Laws of Identity, STS, RP, IDP, ….? that’s about the stuff you will find here!

Welcome to my blog. You find find different types of content here, but the next days and weeks especially concerning my thesis: Identity Management & Windows CardSpace.

Enjoy!