Publications

System Security Primer

27 Jul 09

This paper was written to be a lightweight, easily adoptable primer and checklist to assist an organisation in better understanding security requirements and controls. This is intended to allow development teams to build a minimum level of security into a system without the overhead of incorporating an unwieldy process into the system development lifecycle or forcing large amounts of documentation upon system implementers.
more...

Log Injection Attack and Defence

14 Feb 07

A log injection vulnerability occurs when a poorly-written program uses user-provided data to write to a system or application log without any security pre-processing. If an attacker controls this data they can then manipulate entries in the log for their purposes. Based on their level of knowledge of log format and content, this often results in the ability to add new entries and falsify events and actions.
more...

A Web Services Security Testing Framework

13 Nov 06

Web services are a widely touted technology that aim to provide tangible benefits to both business and IT. However, currently a specific security testing methodology is not currently avaliable in the marketplace. SIFT's newest paper proposes a framework that covers the entire security testing process tailored specifically for web services applications.
more...