Skip to main content

Security is a Mindset

Three Principles:
  • Defense in Depth - Redundant safegaurds are valuable.
  • Least Privilege - grant as little freedom as possible.
  •  Least complicated - Complexity breeds mistakes.
 (From Shiflett's Evolution of Web Security)
  Trust Nothing, Assume Nothing


Server Side Security
  •  Install Suhosin patch.
  •  Be smart about your passwords.
  •  Disable register globals, magic quotes,etc.
  •  Never run PHP/Apache/Nginx/etc as administrator.
  •  Keep up with Patches.
Labels:

Comments

Post a Comment

Popular posts from this blog

The Difference between DB and DB_EXTENDED

When doing Audit on any table on the the database , the default auditing is DB. SQL > show parameters audit_trail NAME                                 TYPE        VALUE ------------------------------------ ----------- ------------------------------ audit_trail                          string      DB in this case , when you do audit on some table. SQL> audit all on scott.emp by access; Audit succeeded SQL> update emp set sal=sal*0.95 where job='MANAGER'; 3 rows updated. if you want to know the statement made these changes, you will receive nothing on the sql_text field while you are selecting the audit_trial table.
Post a Comment
Read more

SQL Injection Test 1

Search Google about Dork List 2013 SQL Injection Here are some from the list is :       http://tutsql.blogspot.com/2013/06/dork-list.html       http://securitypedia.blogspot.com/p/dork-list-2013_7588.html     -- choose one way of them to google it like : inurl:newsdetail.php?id=
Post a Comment
Read more

Do you think , Google makes a mistake ?

It seems Google makes a new mistake by launching its new security key (2-step verification)  one of the steps is USB device .  The question  :how come can i plug USB into my mobile (I-Phone , I-Pad , Samsung Galaxy , ....) !  Do Google know the difficulties while you are holding a USB on your hand all the time .  so You can't access  your  account if it's not in your hands. or it's damaged ?  This solution is hopeless , I think it's designed for small audience. As someone says : Can you convince the Bank Manager while you are putting the USB Device into the bank PC, that you are securing your PC , not stealing the bank data, or not transferring amounts of money to other account . or what else .  You know , This way is not quietly good , If I have many accounts on Google and other websites ,I need many  USB devices to verify myself.  That's of course , not good at all.
Post a Comment
Read more