Collaborate Disseminate
OWASP Core Rule Set has many versions the latest is version 4.0 (release candidate), but I cannot find any indication about compatibility among various modsecurity releases.
Could these be used with any modsecurity version, or is there som… Continue reading Compatibility of ModSecurity Core Rule Set 4
According to the OWASP Cheat Sheet on Certificate Pinning, their recommendation is to pin to the leaf certificate, but also pin to the intermediate CA as a backup.
Any security measure is only as good as its weakest link, so in this case i… Continue reading Benefits of certificate pinning to leaf with intermediate as a backup?
Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).
The post Top 10 Security, Operational Risks From Open Source Code appeared first on SecurityWeek.
Continue reading Top 10 Security, Operational Risks From Open Source Code
42Crunch has become corporate member of the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software. 42Crunch have always been inspired by OWASP’s role as an enable… Continue reading 42Crunch joins OWASP as a corporate member to advance API security
ModSecurity 3.0.8
ModSecurity-Nginx 1.0.3
CRS 4.0.0-rc1
I have a marketplace where sellers can list anything for sale. On the "item description" section, we allow users to copy and paste their HTML formatting, like eBay does. We… Continue reading ModSecurity / CRS: Need custom rule to deal with false positive (user-inserted HTML formatted listings)
I have problem when implementing modsecurity and crs. Here is the issue, I hope anyone can give us some guide for resolving this issue.
Apache version :
Server version: Apache/2.4.29 (Ubuntu) Server built:
2022-06-23T12:51:37
ModSecurity… Continue reading Execution error – PCRE limits exceeded
A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and addressing known security flaws. Once the vulnerabilities are pinpointed, they are classified based on how… Continue reading 5 open-source vulnerability assessment tools to try out
OWASP’s Authentication Cheat Sheet states unequivocally:
Do NOT allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware / DB) to any front-end user-interface.
… Continue reading Interpreting OWASP prohibition: no sensitive-account login to any frontend interface
In this Help Net Security video, we take you inside Black Hat USA 2022 at the Mandalay Bay Convention Center in Las Vegas. The video features the following vendors: Abnormal Security, Adaptive Shield, Airgap, Akamai, Anomali, Arctic Wolf Networks, Aris… Continue reading Black Hat USA 2022 video walkthrough
I found a project that uses T-SQL’s newsequentialid() for one of their external ID columns which is used for public APIs.
When that column is added to an existing table, each row gets an incremented GUID.
Is this bad?
A malicious user coul… Continue reading Is using newsequentialid bad?