WEB APPLICATION SECURITY

Monitoring aktu�ln�ch informac� na t�ma "Bezpe�nost webov�ch aplikac� - Web Application Security". Weblog je sou��st� informa�n�ho port�lu AKA-MONITOR, www.akamonitor.cz, spravovan�ho doc. A. Katolick�m. V tomto odborn�m weblogu jsou uv�d�ny p�edev��m stru�n� komentovan� odkazy na knihy, �asopisy, na zdroje publikovan� na internetu a na pozoruhodn� odborn� zam��en� akce.

Moje fotka
Jm�no: Arnost Katolicky
M�sto: Plzeň, Czech Republic

Internetov� publicista provozuj�c� AKA-MONITOR www.akamonitor.cz, soudn� znalec KS Plze�, docent na Z�U v Plzni a na V�MIE v Praze.

12.3.10

This blog has moved


This blog is now located at http://web-sec.akamonitor.cz/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://web-sec.akamonitor.cz/feeds/posts/default.

MIGRACE blogu

Jak jsem uvedl, doch�z� na serveru ke zm�n�m.
Dnes p�evedu tento FTP blog na novou adresu:
http://web-sec.akamonitor.cz
Po p�evodu by se m�la objevit zpr�va v angli�tin�,
kter� ozn�m�, �e bude provedena automatick�
p�esm�rov�n� a nab�dnuta adresa pro p��pad
pot��.
Tak�e p��t� ji� na nov� adrese!

Security World 1/10

www.securityworld.cz
Identita u�ivatel� pod spr�vou
Nov� Windows a s�ov� bezpe�nost
Spr�vn� strategie pro e-maily se vyplat�
�sp�n� �toky na datovou schr�nku nejsou iluze
Whitelisting: Zabezpe�en�, kter� p�in�� sp�su
(Bonus aka) Propojen� fyzick� a IT bezpe�nosti 
P��t� ��slo vyjde 2. �ervna
T�ma ��sla: Spr�va bezpe�nostn�ch ud�lost�

16.2.10

Zm�ny na port�lu AKA MONITOR

Pr�v� dnes jsem vym�nil obsah domovsk� str�nky sv�ho port�lu:
http://www.akamonitor.cz.
Pojal jsem ji dost netradi�n�, inspirovala mne informa�n� tabule
p�ed obecn�m ��adem :-). 
�lohu hlavn�ho rozcestn�ku jsem p�edal str�nce SITE MAP na
adrese: www.akamonitor.cz/sitemap.htm, kde najdete INDEX velk�
��sti m�ch webov�ch str�nek, po��zen�ch za 15 let existence
port�lu AKA MONITOR. 
Na str�nku SITEMAP jsem um�stil i 3 n�stroje:
- pole pro vyhled�va� (Google sm�rovan� dovnit� dom�ny),
- pole pro WolframAlpha - v�ce o syst�mu najdete ZDE-ZDE  
- pole pro zkracova� webov�ch adres TinyURL.
B�hem b�ezna t.r. prob�hne zm�na v hostingu odborn�ch blog�.
(Google p�estane podporovat FTP pro upload.) Tak�e pokud
byste narazili na probl�my, pod�vejte se, pros�m, na str�nku
v�novanou novink�m na port�lu AKA MONITOR:
www.akamonitor.cz/e7news.htm, kde najdete vyv�tlen� jak
postupovat. Za p��padn� probl�my se p�edem omlouv�m.







 
 
AKA MONITOR - ISSN 1804-042X - seznam monitorovan�ch �asopis�:
ComputerWorld, CIO Business World, Security World, ITSystems,
�sp�ch, PIXEL,ComputerDesign, itCAD, Jak na po��ta�, Po��ta�
pro ka�d�ho,Extra PC, Nejlep�� Rady PC, Connect!, Computer,
Mobility,BIZ, THINK!(IBM), Sv�t pozn�n�, DIGIfoto, FOTOlife,
��etnictv�,SAT & DVB-T mag.,Extra Hardware,
Syst�mov� integrace, CHIP
www.akamonitor.cz/5xnej.htm
---------------------------------------------------------------
 

12.2.10

Po��ta� pro ka�d�ho 5/10

www.ppk.cz
Komplexn� bezpe�nostn� �e�en� 2010
Jak se�azovat data v Excelu
Vyberte si p�ehr�va�
Jak vybrat webovou kamerku
ICQ7 si rozum� (nejen) s Facebookem
(Bonus aka) Kon� - dokument�rn� film - na CD p��loze
P��t� ��slo vyjde 1. b�ezna - t�ma: z�platov�n� opera�n�h syst�m�
www.akamonitor.cz/plneverze.htm
 

31.12.09

PF 2010

Dobr� den p��tel�!
V�em n�v�t�vn�k�m port�lu AKA MONITOR d�kuji za projevenou
p��zen v roce 2009 a za �etn� odezvy na publikovan�m zpr�vy.
Sou�asn� p�eji v�e nejlep��, hodn� zdrav� a �sp�ch� v pracovn�m
i v osobn�m �ivot� v roce 2010. T��m se na va�e n�v�t�vy a na
va�e e-maily, kter�mi projev�te z�jem o dal�� obohacen� str�nek
port�lu.
Hodn� �t�st� v roce 2010 p�eje Arno�t Katolick�
http://www.google.com/profiles/akamonitor
ISSN 1804-042X www.akamonitor.cz
AKA MONITOR - Partner Z�U v Plzni

7.12.09

Zkracov�n� webov�ch adres

Na intenetu je st�le nebezpe�n�ji. Nep��jemn� p�ekvapen�
na n�s mohou �ekat nejen v p��loh�ch e-malov�ch zpr�v,
ale i p��mo na webov�ch str�nk�ch. Ale jak poznat adresu,
kter� na takovou str�nku odkazuje?
Asi budete souhlasit  s t�m, �e bezpe�nost webov�ch adres
posuzujeme podle toho, zda n�m n�co p�ipom�naj� �i ne.
Ne ka�d� adresa, kter� n�m nic ne��k�, mus� b�t skute�n�
nebezpe�n�. Ide�ln� je sv��it hl�d�n� webov�ch adres
antivirov�mu programu, p�esn�ji jeho modulu, kter� nese
n�zev „link skener“. Nem�me-li link skener naistalovn,
nebo nen� jeho funkce dostate�n� spolehliv�, mus�me si
pomoci sami.
Ur�it� jste se ji� na internetu setkali s podivn�mi
adresami, kter� vzbuzuj� na prvn� pohled obavy.
P��kladem m�e b�t adresa:
http://tinyurl.com/yc9zrqv.
Co s n�? Kliknout, nebo nekliknout?
V tomto p��pad� je v�e v po��dku, jeliko� adresa je
toto�n� s adresou:
http://www.akamonitor.cz/ITIL/2009/09/seznam-monitorovanych-casopisu-na.htm
Pou��v�n� zkracova�� nen� , zejm�na z bezpe�nostn�ch
d�vod�, p��li� doporu�ov�no, jsou v�ak situace, kdy se
bez nich neobejdeme. N�kolika��dkov� adresa v e-mailu
nejen nep�sob� dob�e, ale m�e d�lat pot�e p�i jej�m
odkliknut�. Jist� jste se s probl�my o�iven�m takov� adresy
ji� setkali.
Zkracov�n� URL je ��m d�l v�c nepostradateln� n�stroj
p�i pou��v�n� internetu. A� u� p�id�v�te odkaz do e-mailu, tw�tu,
nebo diskusn�ho f�ra. URL zkracova�e  jsou �e�en�m
t�chto probl�m�.
URL zkracova� je sluba nab�zen� na speci�ln� webov
str�nce. Po zad�n� DLOUH� adresy slu�ba vygeneruje
URL adresu krat��, kter� n�s vede na stejnou str�nku.
P��klad
- p�vodn� adresa -
http://rover.ebay.com/rover/1/711-53200-19255-0/1?t

ype=3&campid=5336224516&toolid=10001&customid=tiny-
hp&ext=unicycle&satitle=unicycle
- zkr�cen� adresa:
http://tinyurl.com/unicycles
Nejzn�m�j�� zkracova� je na adrese:
http://www.tinyurl.com
V �R je zn�m� zejm�na  zkracova� na adrese:
http://www.jdem.cz/
Uk�zka v�stupu z �esk�ho zkracova�e: 
http://jdem.cz/aabi

Jist� v�s napadla ot�zka " jak pozn�m v�as kam takov� zkr�cen�
adresa sm��uje - jak vypad�  c�lov� str�nka?".
K tomu se nab�z� speci�ln� webov� str�nky. Mezi nejzn�m�j��
pat��: 
http://www.prevurl.com
a
http://www.longurl.org
Po zad�n� zkr�cen� adresy se v�m zobraz� p�vodn�
nezkr�cen� adresa a bezpe�n� n�hled c�lov� str�nky.
Doporu�uji v�m vyzkou�et si uveden� slu�by, proto�e v�skyt
zkr�cen�ch adres se bude zvy�ovat.
Jedna funkce slu�by "jdem.cz" je�t� stoj� za zm�nku. M�ete
si adresu nejen zkr�tit, ale zkr�cenou adresu si m�ete opat�it heslem.
N�v�t�vn�k bez znalosti hesla se na c�lovou str�nku nedostane.

Jak vypadaj� a jak funguj� str�nky zkracova�� si m�ete
prohl�dnout ve slideshoiw, kterou jsem pro v�s vystavil
na adrese
http://www.akamonitor.cz/s-show/tinyurl/

Anglick� Wikipedia pojedn�v� o zkracov�n� adres pod heslem
"URL shortening" na adrese:
http://en.wikipedia.org/wiki/URL_shortening

http://www.google.com/profiles/akamonitor
ISSN 1804-042X www.akamonitor.cz
AKA MONITOR - Partner Z�U v Plzni

4.12.09

Security World 4/09

Anketa: jak� bude rok 2010
Trendy hrozeb z internetu
V�b�r a pou�it� za��zen� UTM
Strategie pro bezpe�nostn� mana��ry
Bezpe�nostn� konference RSA
(Bonus aka) Jsou multiaplika�n� karty bezpe�n�?
P��t� ��slo vyjde 9. b�ezna 2010
 

30.11.09

AKA MONITOR partnerem Z�pado�esk� univerzity v Plzni

26. listopadu 2009 byla podpisem prorektora Z�pado�esk� univerzity
v Plzni doc. ing. J. Horejce, CSc. potvrzena platnost dohody
o partnerstv� AKA MONITORu ISSN 1804-042X se Z�U v Plzni.
AKA MONITOR bude zaji��ovat informa�n� servis pro vybran�
pracovn�ky univerzity, (zam��en� na obory ekonomika, management,
informa�n� technologie a informa�n� syst�my,)  

26.9.09

An Executive's Guide to Web Application Security

Managing A Growing Threat: An Executive’s Guide to Web Application Security
Companies have relied on perimeter defenses to keep their networks and data secure. Unfortunately, network firewalls and network vulnerability scanners can’t defend against application-level attacks. Since so many Web sites contain vulnerabilities, hackers can leverage a relatively simple exploit to gain access to a wealth of sensitive information, such as credit card data, social security numbers and health records. It’s more important than ever to examine your Web application security, assess your vulnerability and take action to protect your business.
Cel� �l�nek najdete na adrese:
----------------------------------------------------------------
AKA MONITOR - ISSN 1804-042X - seznam monitorovan�ch �asopis�:
ComputerWorld, CIO Business World, Security World, ITSystems,
�sp�ch, PIXEL,ComputerDesign, itCAD, Jak na po��ta�, Po��ta�
pro ka�d�ho,Extra PC, Nejlep�� Rady PC, Connect!, Computer,
Mobility,BIZ, THINK!(IBM), Sv�t pozn�n�, DIGIfoto, FOTOlife,
��etnictv�,SAT & DVB-T mag.,Extra Hardware, www.akamonitor.cz/5xnej.htm
---------------------------------------------------------------
 

21.9.09

10 must-have steps for an effective SMB information security program

V�tah z �l�nku:
The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.
Kissel's 10 "absolutely necessary" steps to an effective information security program (consult the pamphlet for how-to's):
- Protect information, systems and networks from damage by viruses, spyware and other malicious code.
- Provide security for your Internet connection.
- Install and activate software firewalls on all your business systems.
- Patch your operating systems and applications.
- Make backup copies of important business data/information.
- Control physical access to your computers and network components.
- Secure your wireless access point and networks.
- Train your employees in basic security principles.
- Require an individual user account for each employee on business computers and - business applications.
- Limit employee access to data and information, and limit authority to install software.
And here are the 10 security trouble spots where computer users are highly recommended to use caution:
- Opening email attachments from unknown senders and responding to emails asking for sensitive information.
- Clicking on Web links in emails and instant messages.
- Clicking OK on pop-up windows and other hacker tricks.
- Doing online business and banking.
- Skipping criminal background checks on prospective employees.
- Web surfing.
- Downloading software.
- Not getting expert help when you need it. The Better Business Bureau, Chamber of Commerce, Small Business Development Centers can point you to service providers.
- Disposing of old computers and media
- Protecting against social engineering
 
AKA MONITOR - ISSN 1804-042X - seznam monitorovan�ch �asopis�:
ComputerWorld, CIO Business World, Security World, ITSystems,
�sp�ch, PIXEL,ComputerDesign, itCAD, Jak na po��ta�, Po��ta�
pro ka�d�ho,Extra PC, Nejlep�� Rady PC, Connect!, Computer,
Mobility,BIZ, THINK!(IBM), Sv�t pozn�n�, DIGIfoto, FOTOlife,
��etnictv�,SAT & DVB-T mag.,Extra Hardware, www.akamonitor.cz/5xnej.htm
---------------------------------------------------------------
 

15.9.09

Improving Web Application Security: Threats and Countermeasures

Abstract
"This guide helps you build hack-resilient applications. A hack-resilient
application is one that reduces the likelihood of a successful attack
and mitigates the extent of damage if an attack occurs. A hack-resilient
application resides on a secure host (server) in a secure network and
is developed using secure design and development guidelines.
Web application security must be addressed across the tiers and at
multiple layers. A weakness in any tier or layer makes your application
vulnerable to attack. Figure 1 shows the scope of the guide and the
three-layered approach that it uses: securing the network, securing
the host, and securing the application. It also shows the process
called threat modeling, which provides a structure and rationale for
the security process and allows you to evaluate security threats and
identify appropriate countermeasures. If you do not know your threats,
how can you secure your system?"
V�ce na adrese:
 

Web Application Security Consortium

The Web Application Security Consortium (WASC) is 501c3 non
profit made up of an international group of experts, industry
practitioners, and organizational representatives who produce
open source and widely agreed upon best-practice security
standards for the World Wide Web.
As an active community, WASC facilitates the exchange of ideas
and organizes several industry projects. WASC consistently
releases technical information, contributed articles, security
guidelines, and other useful documentation. Businesses,
educational institutions, governments, application developers,
security professionals, and software vendors all over the world
utilize our materials to assist with the challenges presented
by web application security.
Vice na adrese:

The Open Web Application Security Project

"The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org."
V�ce na adrese:
http://www.owasp.org/index.php/Main_Page

An Executive�s Guide to Web Application Security

Ned�vno jsem v�s informoval o AVG Identity Protection - sw p�edstavuj�c� jednu z variant nejpokro�ilej��ho syst�mu pro vyhled�v�n� malwaru prost�ednictv�m detekov�n� nestandardn�ho chov�n� proces�, kter� je v sou�asn� dob� na trhu. Tato technologie nen� zalo�ena na definic�ch, n�br� se zam��uje na monitorov�n� chov�n�. Identity Protection sleduje v�ce ne� 285 r�zn�ch chov�n� a tak� v�echny b��c� procesy (a� u� jsou skryt� �i nikoli). Takto se sna�� zjistit, zda v syst�mu u�ivatele tajn� nedoch�z� k n�jak� �kodliv� �innosti. Technologie t��dy "Identity Protection" dok�� naj�t a zne�kodni v�razn� v�ce malwaru ne� z�kladn� zn�m� verze a p�edev��m je�t� l�pe a spolehliv�ji ochr�nit v� po��ta�.
Dnes jsem na�el na webu stru�n�  v�cn� v�klad ur�en� pro IT management.
N�zev �l�nku:
"
Managing A Growing Threat: An Executive�s Guide to Web Application Security"
Pojedn�v� o bezpe�nosti webov�ch apl�iukac�.
Abstrakt:
"Companies have relied on perimeter defenses to keep their networks and data secure. Unfortunately, network firewalls and network vulnerability scanners can�t defend against application-level attacks. Since so many Web sites contain vulnerabilities, hackers can leverage a relatively simple exploit to gain access to a wealth of sensitive information, such as credit card data, social security numbers and health records. It�s more important than ever to examine your Web application security, assess your vulnerability and take action to protect your business."
Na 8-mi str�nk�ch souboru PDF sde do�tete v�ce:
http://www.csoonline.com/documents/whitepapers/managingagrowingthreat.pdf
A. Katolick�
--------------------
AKA MONITOR - ISSN 1804-042X - seznam monitorovn�ch �asopis�:
ComputerWorld, CIO Business World, Security World, ITSystems,
�sp�ch, PIXEL,ComputerDesign, itCAD, Jak na po��ta�, Po��ta�
pro ka�d�ho,Extra PC, Nejlep�� Rady PC, Connect!, Computer,
Mobility,BIZ, THINK!(IBM), Sv�t pozn�n�, DIGIfoto, FOTOlife,
��etnictv�,SAT & DVB-T mag. www.akamonitor.cz/5xnej.htm
---------------------------------------------------------------
 

15.11.06

Sledov�n� aktualizace obsahu

Publikov�n� novinek nebude pravideln�. Sledov�n� aktualizace obsahu V�m usnadn� vyu�it� t. zv. RSS �te�ky, do kter� zad�te adresu:
http://www.akamonitor.cz/WAS.xml
a ur��te interval testov�n�. Na Va�� obrazovce se objev� sign�l o novince publikovan� na str�nce tohoto weblogu v�dy, kdy� se obsah str�nky zm�n�. V�ce o slu�b� RSS se m�ete do��st na adrese www.akamonitor.cz/RSS.htm.