Last 50 'Announcements' Tagged Posts

Presentation: Problems you'll face when building a software security program

A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec...

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published

The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used...

WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants

I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

The OWASP AppSec USA 2011 Call for Papers (CFP)

Lorna Alamri writes in the following announcement "The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit the following URL to submit your abstract for the September 22-23, 2011 talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company with our first keynote,...

WASC Party at RSA

The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon....

New Silicon Valley security conference - BayThreat

A handful of people from silicon valley (myself included) have been discussing the lack of good hacker conference in the bay area (RSA does not count) for some time and decided to meet up during defcon to see what we could do about this. It was concluded that the only logical thing...

Phrack #67 is out for 25th anniversary!

To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace...

CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years

To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...

CGISecurity.com Turns 10!: A short appsec history of the last decade

Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...

WASC Web Hacking Incident Database Semi-Annual Report for 2010

Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 -...

Web Security Dojo v1.0 release

From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use...

Watcher 1.3.0 passive Web-vulnerability testing tool released

"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can...

2010 SANS Top 25 Most Dangerous Programming Errors Released

I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...

R.I.P. Apache 1.x: Apache 1.3.42 marks of end life

The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider...

Nikto version 2.1.1 released

Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...

Announcement: WASC Threat Classification v2 is Out!

I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...

Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes

Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...

OWASP Publishes Transport Layer Protection Cheat Sheet

"This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance...

WASC Announcement: 2008 Web Application Security Statistics Published

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application...

Announcing the Web Application Security Scanner Evaluation Criteria v1

"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list...

Microsoft publishes BinScope and MiniFuzz

From the download pages. BinScope "BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build...

Next Phase of WASC's Distributed Open Proxy Honeypot Project Begins

Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each proxy...

Nmap 5.00 Released

"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this. Considering all the changes, we...

Microsoft Security Bulletin Summary for July 2009

It is Microsoft patch Tuesday and the following issues have been addressed. MS09-029 Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An...

WASC Threat Classification 2.0 Sneak Peek

Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification v2.0...

Fuzzware 1.5 released

"Fuzzware is tool for pen-testers and software security testers that is designed to simplify the fuzzing process, while maximising the fuzzing quality and effectiveness. Fuzzware is adaptable to various testing scenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you fine grain control over the fuzzing techniques used and ensures any interesting...

Phrack 66 is out!

IntroductionTCLH Phrack Prophile on The PaX TeamTCLH Phrack World NewsTCLH Abusing the Objective C runtimenemo Backdooring Juniper FirewallsGraeme Exploiting DLmalloc frees in 2009huku Persistent BIOS infectionaLS and Alfredo Exploiting UMA : FreeBSD kernel heap exploitsargp and karl Exploiting TCP Persist Timer Infinitenessithilgore Malloc Des-Maleficarumblackngel A Real SMM RootkitCore Collapse Alphanumeric RISC ARM...

New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks

Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...

Insecure Magazine 21 (June) Released

Insecure magazine 21 has been released and covers the following. Malicious PDF: Get owned without opening Review: IronKey Personal Windows 7 security features: Building on Vista Using Wireshark to capture and analyze wireless traffic "Unclonable" RFID - a technical overview Secure development principles Q&A: Ron Gula on Nessus and Tenable Network Security...

L0phtCrack is back, finally available for download

"It's official: The famous password-cracking tool L0phtCrack is back, and its creators plan to keep it that way. L0phtCrack 6 tool, released Wednesday, was developed in 1997 by Christien Rioux, Chris Wysopal, and Peiter "Mudge" Zatko from the former L0pht Heavy Industries -- the hacker think tank best known for testifying before...

SamuraiWTF live web testing framework 0.6 released

"The SamuraiWTF project team is proud to announce the immediate release of SamuraiWTF 0.6. This release contains a number of fixes and updates as well as the first release of a VM image. This VM requires Vmware 5.0 or better. It will also work in any version of VMWare Fusion.ThanksKevin Johnson" For...

Sysinternal Tool updates: Autoruns v9.5, PsLoglist v2.7, PsExec v1.95

Not website security related but still useful tools. Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution. PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility,...

Google Chrome Update Addresses 2 Security Flaws

CVE-2009-1441: Input validation error in the browser process. A failure to properly validate input from a renderer (tab) process could allow an attacker to crash the browser and possibly run arbitrary code with the privileges of the logged on user. To exploit this vulnerability, an attacker would need to be able to...

Web 2.0 Application Proxy, Profiling and Fuzzing tool

"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take...

Firefox 3.0.9 Released to Fix Multiple Security Flaws

MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString MFSA 2009-18 XSS hazard using third-party stylesheets...

Nessus Version 4 Released

"Tenable is pleased to announce the release of Nessus version 4! This blog post highlights some of the enhancements and new features available in Nessus 4.0. One of the most notable features is the ability to create custom XSLT reports based on your scan results. Nessus now also supports a fully multi-threaded...

Watcher: a free web-app security testing and compliance auditing tool

"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for now:...

SWFScan - Free Flash Security Tool

"HP SWFScan is a free security tool to developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds...

Microsoft releases !exploitable crash evaluation tool

"Aiming to better identify bugs that could lead to security issues, Microsoft announced on Wednesday that it planned to release a tool to help developers classify and assess program crashes. The tool, known as !exploitable and pronounced "bang exploitable," is a plugin for the Windows debugger that categorizes crash information using two...

WarVOX 1.0.0 Released

HD Moore sent the following to bugtraq this morning. "WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide...

The return of L0phtCrack

"More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference. A teaser post on the...

Apple goes public with security in Safari 4

"Apple announced on Tuesday the public availability of its next browser, Safari 4, seemingly adding a host of new security features to the program along with speedier Javascript processing and additional eye candy, such as cover flow. The security features are not new, however. The company quietly added anti-malware and phishing protection,...

CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies

For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand...

Firefox 3.0.6 Released To Address Multiple Security Issues

Fixed in Firefox 3.0.6 MFSA 2009-06 Directives to not cache pages ignored MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04 Chrome privilege escalation via local .desktop files MFSA 2009-03 Local file stealing with SessionStore MFSA 2009-02 XSS using a chrome XBL method and window.eval MFSA 2009-01 Crashes with evidence of memory...

Web Application Security Consortium (WASC) RSA Meetup 2009

If you like talking about website and application security and will be in San Francisco in April I highly recommend attending the Web Application Security Consortium's RSA Meet-up. We've been doing this for the past 3-4 years and always get a great crowd. He's the formal announcement. Take a Break @ RSA...

Microsoft Patch Tuesday: MS09-001

Microsoft has just published MS09-001 . This update addresses an SMB flaw. "Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these...

CWE & SANS TOP 25 Most Dangerous Programming Errors

"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec,...

OWASP releases Application Security Verification Standard for developers, security pros, and buyers

"Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS). Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and...

OllyDbg Version 2.0 - Beta 1 Released

"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much faster...

OWASP testing Guide Version 3.0 Released

OWASP released the following press release today. "The OWASP testing guide version 3 has been officially released. This project is part of the OWASP 2008 Summer of Code that started on April 2008. The guide resulted in a 349 page book and is the contribution of a team of 21 authors, 4...

Firefox Halting 2.x security patching/support, urges users to upgrade to 3.0 or get pwned

"Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical. The critical problems involve cross-site scripting. That’s a serious concern as it...

Tools: Microsoft Announces Three Tools to help prevent SQL Injection

"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits....

Tools: Peach 2.1 Fuzzing Framework BETA3 Released

From the 'Millions of peaches, peaches for me. Millions of peaches, peaches for free ' department The following was posted to the full disclosure mailing list. "Peach 2.1 BETA3 has been released! This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the...

Tools: Peach Fuzzer Framework 2.1 BETA2 Released

The following was sent to the daily dave list today by Michael Eddington "The latest in the Peach 2 series has been posted. This release includes many bug fixes, features, improvements, and supersedes 2.0 as the recommended version to use. * Fuzzers written in XML by defining data definitions * Unittests to...

Tool Release: tmin: Fuzzing test case optimizer

Michal Zalewski has released tmin. From his announcement to bugtraq "I'd like to announce tmin - a free, quick, and handy tool to quickly and effortlessly minimize the size and syntax of complex test cases in automated security testing. I found the tool to be remarkably useful, as it saved me from...

Tool availability - browser DOM Checker

"I'd like to announce the availability of DOM Checker, an automated tool for validating browser security policy enforcement. The project is hosted at: http://code.google.com/p/dom-checker/ The tool features several fairly neat features, including exhaustive hierarchy crawling and side-channel blind write validation to reduce the number of false positives. DOM Checker had been used...

xmitm: xml man in the middle tool

An interesting post on intercepting flash XMPP traffic. "This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport). The only way we could think of getting...

WASC Script Mapping Project released

Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on the...

Tools: SWFIntruder released

Stefano writes "The first release of SWFIntruder has been released today by Stefano Di Paola, CTO of Minded Security. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. It helps to find flaws in Flash applications using the methodology originally described...

Nikto 2 released

Sullo writes " Nikto is an open source (GPL) web server scanner which performs tests against web servers for multiple items, including over 3500 po tentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Version 2 adds a ton of enhancements, including: - Fingerprinting web...

Free Automated Web Application Firewall From Armorlogic

"Armorlogic, the Danish web application firewall provider, announces Profense™ Base, the only automated web application firewall available for free. And there is no catch. Free means free for commercial as well as non-commercial use, without time limitation." "ISO images and software licenses are available from www.armorlogic.com." I've never heard of this company...

Uninformed Journal Release Announcement: Volume 8

"Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics:" Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog...

Microsoft Release 4 Security Fixes

"Microsoft Corp. released four software patches Tuesday to fix security flaws, including one that could allow hackers to take over computers running the company's instant messaging programs. Only one of the flaws carried the company's most severe "critical" rating, but it only applies to the Windows 2000 operating system. To be affected,...

WASC Announcement: Web Application Security Scanner Evaluation Criteria Call for Participants

The Web Application Security Consortium is pleased to announce a new project " Web Application Security Scanner Evaluation Criteria (WASSEC)". Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project. A brief description of the...

[NEW BOOK] Professional Pen Testing for Web Applications

Andres Andreu has just published a new book titled "Professional Pen Testing for Web Applications" by Wrox. "There is no such thing as "perfect security" when it comes to keeping all systems intact and functioning properly. Good penetration (pen) testing creates a balance that allows a system to be secure while simultaneously...

Owasp Releases PHP Top 5

"PHP is a very popular language with many flawed security "features". Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. This article is the underlying research behind the SANS Top 20 2005's PHP section. The methodology used in the preparation of this article...

Uninformed Issue 4 released

Issue #4 of uninformed has been released. This issue contains the following articles - Improving Automated Analysis of Windows x64 Binaries - Exploiting the Otherwise Non-Exploitable on Windows - Abusing Mach on Mac OS X - GREPEXEC: Grepping Executive Objects from Pool Memory - Anti-Virus Software Gone Wrong Issue Link: http://www.uninformed.org/?v=4

WSFuzzer 1.5 has been released

Andres Andreu writes "WSFuzzer version 1.5 has been released. It is a pen testing tool that audits HTTP based SOAP targets. Details are available at http://www.neurofuzz.com/modules/software/wsfuzzer.php

Paros 3.2.10 released

A new version of Paros Proxy has been released. "We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies...

New Open Source Web Application Scanner Released (Oedipus)

800m800m Writes "Oedipus is an open source web application security analysis and testing suite written in Ruby by Pentration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web...

Uninformed Online Zine #3 Released

A online zine called 'uninformed' has just released issue #3. I gotta say it's worth checking out. Below is the list of the table of contents. * Bypassing PatchGuard on Windows x64 * Windows Kernel-mode Payload Fundamentals * Analyzing Common Binary Parser Mistakes * Attacking NTLM with Precomputed Hashtables * Linux Improvised...

PAPER: Preventing Http Session Fixation Attacks

Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)

ModSecurity 1.9 FINAL has been released

Ivan Ristic Writes "ModSecurity 1.9 FINAL has been released. It is available for immediate download from: http://www.modsecurity.org/download/ After more than a year in development, ModSecurity 1.9 introduces a number of changes that further increase usefulness of this web application security tool. Changes (since 1.8) ------------------- Major enhancements include: * A brand new...

Web Application Security Consortium (WASC) releases 'Threat Classifications' document

WASC has released a web security 'Threat Classifications' document that attempts to help clarify some of the terms used in web security (such as xss, session fixation, insufficient authorization, etc...). Additional information can be found at the link below. http://www.webappsec.org/threat.html

Web Application Security Consortium group formed

A new web security group called The Web Application Security Consortium announced itself today. This group will release documents, and form projects to help address some of the issues in web security. The first release by this group is the "Web Security Glossary", a index of all common terminology involving web application...

Microsoft released Ebook on web security

Microsoft has released a massive 919 page ebook covering everything from how to lock down your web server, web services, web applications, and web application servers. This book is worth a read and I highly recommend it. Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Meg)

IIS LockDown Tool released

Microsoft has finally released a tool that helps secure your IIS machine. This new tool helps patch, and lockdown IIS from well known holes, as well as helping protect itself from unknown holes. Download it below (NOTE: This is also added to our patch section of this site.) IIS Lockdown Tool