2010 Aspect "JavaSnoop: How to hack anything in Java"
JavaSnoop is the vanguard in tools for testing the security of Java desktop applications or applets. It allows you to easily "jump into" and begin hacking any Java process on your machine. It's like an HTTP proxy, but for your Java VM.
2008 Aspect "Bypassing Web Authentication and Authorization with HTTP Verb Tampering"
Many URL authentication and authorization mechanisms make security decisions based on the HTTP verb in the request. Many of these mechanisms work in an unexpected way. This fact, in combination with some oddities in the way that servers handle irregular HTTP verbs can cause the rules dictated by those mechanisms to be bypassable. This paper goes into great detail discussing the vulnerability and how the various vendors are affected.
2008 Aspect "File Download Injection"
Many applications have custom code to serve up files. This code is usually named something like "download.jsp", "report.php", or just "/download". Developers have to add a few headers to the response to tell the browser what to do with the file. If any of those headers include unvalidated input, there's a crack opened for the attacker. The attacker can inject a file download into the response and take it over from the inside.
2007 OWASP, "The Ten Most Critical Web Application Security Vulnerabilities"
Aspect Security led the OWASP team that developed the original OWASP Top Ten document in 2003 and were the primary contributors for the 2004 and 2007 updates. OWASP is dedicated to helping organizations understand and improve the security of their web applications and Web services. This list was created to focus government and industry on the most serious of these vulnerabilities. Web application security vulnerabilities are highly exploitable and the consequence of an attack can be devastating. These vulnerabilities represent an equivalent magnitude of risk as network security problems, and should be given the same degree of attention.
2007 Aspect, "Enterprise Security Architecture Managing Security across the Lifecycle"
The IT industry is doing a good job in "patching" the security holes in our networks and host operating systems. According to a recent Gartner study only 25% of the attacks seen today are aimed at the network and host layers - that's the good news - the bad news is that our business application is the attacker's new target of choice. Are we as good at "securing" our applications?
2006 Aspect/Ounce, "Opening the Black Box: A Source Code Security Analysis Case Study"
The report describes a detailed source code security review of a popular open source application, including how specific flaws may affect users, security trends of open source development, and guidelines that professionals should use for verifying the security of applications within their organization. The report documents a detailed security verification of Azureus, the popular open source BitTorrent client, by Aspect's team of application security experts supported by Ounce Labs' source code security analysis technology.
2005 Aspect, "Application Security Initiatives - The Best Defense Is a Good Offense"
Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressures by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern - organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications.
2004 Aspect/OWASP, "Let's Sue the Idiots -- Security, Software, Contracts, and Lawyers"
What would you do if you outsourced your web application development to a software shop, only to find out years later that the code they produced is full of security holes? What would you do if you were a developer who wrote the code? Sound familiar? In many organizations, the knee-jerk reaction is to sue the developers on a breach of contract or negligence theory, but that's about the biggest mistake you can make. This column discusses how these disputes happen, how the contracts work, some of the arguments on both sides, and suggests a middle ground that will hopefully help guide you through a delicate situation.
2003 Aspect/OWASP, "How to Build an HTTP Request Validation Engine for Your J2EE Application"
"Never trust anything from the HTTP request." That's rule number one for web application security. If you fail, you open your application to many different forms of injection, overflow, and tampering. So validate everything, before you use it, right? It always sounds so simple, yet most development projects ignore the requirement or implement it very haphazardly. There are many alternative methods of implementing validation, but which is the best? In this article, we'll discuss approaches for validating all of the different parts of the HTTP request. Once we've nailed down a few requirements, we'll use the new regular expression package in Java 1.4 to demonstrate one way of implementing validation.
2003 Aspect/OWASP, "Access Control (aka Authorization) in Your J2EE Application"
I'm not sure how the web application development community got started using the term "authorization" -- but I'm not crazy about it. The simple problem is that developers frequently confuse it with "authentication" -- especially when it is abbreviated "auth". But, more fundamentally, people have used the term "access control" for the past 30 years on every type of system except web applications, and it's confusing to change. For this article, I'm going to talk about "access control" -- just remember that there are a whole bunch of people who like to call it "authorization."
2003 Aspect/OWASP, "Trustworthy Java - Are your apps bulletproof?"
For the first article in this series on Java security, we thought it would be appropriate to discuss what makes a Java application trustworthy. We know Trustworthy Computing is a Microsoft thing but in this article we are going to argue that Java folks ought to be paying close attention to what's going on in Redmond.
2002 Aspect, "Security Code Review - the Best Way to Find and Eliminate the Vulnerabilities in Your Web Application"
A rigorous code review focused on finding security flaws is really the only way to manage the security of your web application or web service code. These reviews are a cost-effective way to identify problems and start the process of remediation. The cost of code review services is dramatically outweighed by the expected consequences of attacks by hackers. Aspect has examined the code for complex web applications across many vertical markets, including health care, financial, e-commerce, and biotechnology. To date, we have not seen any that did not have at least one major exploitable hole.