OWASP Columns

[Mark Curphey <mark () curphey com>]

I just wanted to let you all know that two great new articles are now online in the OWASP columns. 

http://www.owasp.org

We had some hardware problems last weekend that meant the site was down for 3 days. We think it is solved although we 
still need to find reliable free, secure hosting in the long term. Our apologies if you couldn't get to the site.

There Is More to Securing Web Services Systems Than WS-Security 

This column is about securing systems that are implemented in the Web services paradigm. The scope of this topic is 
huge and the issues are complex. Further complicating the problem is the fact that we are still very, very early in the 
life of the paradigm and most of the detail has yet to be worked out. However, since this is an evolutionary paradigm, 
even if we don't yet have all the specifics, we do know what the general classes of problems are . . . and where to 
look for them. So for now, in this column, we will be looking at the kinds of controls that will need to be implemented 
in order to secure systems that are built around Web services. We will focus on issues at the macro level here; there 
are some problems that exist independently of the choice of Web server, application server, authentication mechanism, 
etc. These issues, if not addressed, will result in exposed systems, no matter how well the WS* standards are 
implemented, whether secure programming techniques we
 re employed or how well the rest of the system is done. 

Read the full article here 

http://www.owasp.org/columns/gcapehart/georgecapehart1


IIS Security by Joe Lima

The subject of this new column, IIS Security, is bound to occasion some chuckling in the server room. More than one sys 
admin will read it and think: "IIS Security -- isn't that a contradiction in terms?"
It is possible to achieve and maintain an adequate level of security for Internet Information Services (IIS), 
Microsoft's Web server platform. If I didn't think this, I wouldn't have agreed to write a regular column on the topic.

This is not to say that IIS security is a trivial task. There are plenty of challenges involved in making and keeping 
any Web server secure. Hence this column, which I hope will be a useful place for anyone interested in the topic to 
catch up on Microsoft IIS security fundamentals, keep abreast of the latest issues, and anticipate future challenges.
Having said that, there is no denying that IIS has not always been as secure (or securable) as it needed to be, has 
become, and is becoming. That is where the reputation comes from, making the phrase "IIS Security" a source of 
potential amusement for harried sys admins. On balance, IIS' reputation has long since outrun reality here, but that 
reputation is fed by a real legacy of sub-par security. To inaugurate this column, we will take a hard look at the 
sources of IIS' legacy of insecurity, the reasons for its persistence, and the way progress against this perception has 
been made.

Read the full article here 

http://www.owasp.org/columns/jlima/joelima1