Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2007
06:57 AM
50%
50%

SPI Details Web App Hacking

SPI Dynamics will lead five presentations throughout the week of April 16 at the Software Security Summit and STPCon

ATLANTA -- S.P.I. Dynamics, Inc., the leading provider of web application security testing software, announced today that company executives will lead five presentations throughout the week of April 16 at the Software Security Summit and Software Test & Performance Conference (STPCon) in San Mateo, CA.

SPI Dynamics’ Co-founder and CTO, Caleb Sima will lead a general session at the Software Security Summit titled “The Latest Trends in Advanced Web Hacking and Secure Coding in the Real World.” This session will include demonstrations of advanced web application hacking techniques and the serious problems that they uncover, and participants will learn about the newest vulnerabilities targeting the application layer. The discussion will also focus on practical design principles and secure coding techniques to protect against the growing number of threats.

Caleb Sima will also lead a talk titled “A Study of AJAX Vulnerabilities and Hacking Techniques,” which will demonstrate how Ajax works and examples of hacking techniques used to compromise Ajax-based applications. In addition, the presentation will explore how the technology underlying Ajax opens up a number of other interesting vulnerabilities that all organizations looking to deploy Ajax should be readily aware of.

Matt Fisher, Senior Security Engineer at SPI Dynamics will present “Hybrid Application Security Analysis - Ensuring Your Code is Secure” and “Deeper Injections” at the Software Security Summit. In these sessions, Fisher will illustrate the escalation of web application security threats and how security throughout the software development lifecycle is essential to securing code. During “Hybrid Application Security Analysis - Ensuring Your Code is Secure” Fisher will discuss in detail the importance of a hybrid application security approach – the cooperative combination of source code analysis and black box scanning – when properly securing code. Fisher’s “Deeper Injections” presentation will describe the concepts of SQL and blind SQL Injection as well as examine other, lesser known yet serious types of command injection attacks such as XPath Injection and LDAP Injection.

SPI Dynamics

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...