The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced website developers and security experts have a difficult time cutting through the buzzword banter to find the facts. And, the fact is most websites are insecure, but AJAX is not the culprit. Although AJAX does not make websites any less secure, it’s important to understand what does. Read the full article online...

Contrary to popular belief, buffer overflow exploits do not occur in custom websites. While technically possible, the truth is that they are just not seen in the real world. Our experience at WhiteHat Security, having assessed hundreds of websites and identified thousands of vulnerabilities, shows that statistically, buffer overflows appear near the bottom of the list of total discovered issues. Conversely, the Open website Security Project (OWASP) has stated that buffer overflows are one of the Top-10 most critical website security flaws. And, it is true that buffer overflows are a primary vehicle used to propagate the most notorious viruses and worms in operating systems from Microsoft Windows to Linux. So if both observations are true, then where’s the disconnect? Read the full article online...

Download this article
On November 11th, 2003, the chess-playing machine X3D Fritz tied grandmaster and former world champion Garry Kasparov in a four-game match. In this classic contest of Man vs. Machine, X3D Fritz performed so impressively that the game was heralded as a victory for artificial intelligence. X3D Fritz’s powerful play was achieved by calculating millions of moves per second accompanied by gigabytes of stored positions. Each time Kasparov moved a chess piece, X3D Fritz would analyze the board by drawing upon its vast knowledge base to select the best possible move. So what do chess, the world’s most dominant computer chess machine, and Garry Kasparov have to do with website security? Read the full article online...

As the CTO of a website security service company (http://www.whitehatsec.com), much of my time is spent educating companies on how to reduce the risks of conducting business online. Most of the people I speak with are stunned to learn that nine out of ten websites contain vulnerabilities. Think about it. Every time you visit your favorite online store, check your account balance or participate in a chat, there’s a 90% likelihood that the site can be compromised in some way. Despite the statistics, many IT/security professionals still believe that firewalls and SSL can protect their websites, or that their developers write perfect code. Whatever the reason, many organizations will learn the hard way that websites are the new point of entry into their systems, by getting hacked. Consider MySpace, the social networking site. Exploitation of a common cross-site scripting vulnerability affected roughly 1 million users and cost 20 hours of downtime. What company can afford that? Read the full article online...