sec links for 2009-11-13

UCSniff 3.0 has been released. UCSniff is a VOIP/IP Video sniffer.

Thierry Zoller discusses the recent SSL/TLS authentication gap issue (pdf). Pass this up if you want easy summaries and less technical coverage.

Nickerson mentioned this presentation on ExoticLiability 39. This is how a technical talk should go. A couple slides saying web security is a big deal, WAFs try to prevent it, and then spend the vast majority on deep details on how to bypass WAFs. If I can find the audio/video of this presentation, I think that would be even more effective than just the slides.

OWASP Top 10 RC1 (pdf) has been released. What I like about a list like this is they don’t just present the knowledge-based issues, but they also address the need for actually planning development smarter. Solving things like SQLi and XSS often comes down to being an expert coder (beyond just a functional 2+2=4 coder). There are still plenty of bonehead mistakes made in the planning and architectural stages.

You have to look out for user-supplied content, but you also have to look out for unattended user-supplied administration of things like groups: Facebook Groups can be hijacked.