This blog has moved! Please update your
bookmarks to http://www.blog.modsecurity.org.

« January 2004 | Main | March 2004 »

Web Application Security Consortium Announced

Posted by ivanr on February 26, 2004.

A new organisation has just been announced: the Web Application Security Consortium. The consortium, formed by leading web security companies (Application Security, KaVaDo, Sanctum, SPI Dynamics, Inc. and WhiteHat Security) aims to establish web application security standards, and the terminology (full press release). A Web Security Glossary has already been published.

Posted by ivanr at 11:42 AM

Paper on passive information gathering

Posted by ivanr on February 11, 2004.

TechicalInfo.Net is an excellent resource for Web Security information. Gunter Ollmann has provided a set of great papers, observations, and links to information gathering tools available on the Internet. The latest addition to this collection is a Passive Information Gathering paper. In the paper he summarizes the techniques many seasoned security professionals use every day, in a tutorial-style, step-by-step document. It is a great read, even if you do use these techniques every day (it is guaranteed that you will learn something new).

Posted by ivanr at 10:14 AM

AVDL Committee Draft is out

Posted by ivanr on February 06, 2004.

This morning I got news of AVDL becoming a Committee Draft; you can get it here. AVDL (Application Vulnerability Desciription Language) wants to establish a standard communication protocol between entities with different roles, involved in application vulnerability discovery, management, and protection. Web security scanner tools we have today do a good job with shiny reports but AVDL is aiming to have those results fed automatically into your security management system. What you do from there is your problem. However, while your overworked employees are trying to find the time to fix the problem, you can have an automated protection tool (such as mod_security) protect the vulnerable application automatically.

Posted by ivanr at 04:10 PM

JIRA license for ModSecurity

Posted by ivanr on February 04, 2004.

I am very happy to announce that I've been granted a free JIRA license to use with ModSecurity! I am grateful to SourceForge for their facilities but, face it, the quality is not that good. Also, since recently I am using JIRA at work, and once you get to used to it - there is no turning back! Many thanks to people at Atlassian for their help. Now I need to learn how to install it :)

Posted by ivanr at 10:23 AM

Free Apache hardening utility

Posted by ivanr on February 02, 2004.

Syhunt, a security tool company from Brazil, have released a free Apache configuration hardening utility. The utility feeds on Apache or PHP configuration files, and gives warnings and suggestions how to make the configuration more secure. I especially like the fact that they advise people to install and use mod_security :)

Posted by ivanr at 04:34 PM