Varun Sharma's security blog
Securing the Microsoft Azure subscription
This blog post is part of a series of posts on Security Best Practices for Microsoft Azure...
Date: 10/02/2014
Security Best Practices for Microsoft Azure Applications
Responsibility for security of applications on Azure is shared by Microsoft and the customer....
Date: 09/20/2014
TechNet Webcast: Configuring with Least Privilege in SQL Server 2008
I recently presented a TechNet Webcast on the topic “Configuring with Least Privilege in SQL Server...
Date: 06/20/2009
Catch the security flaw #6
If you can find the security issue with this piece of code, write about it by adding a comment to...
Date: 04/10/2009
Virtual techdays: Top 5 Web Application security bugs in custom code
Microsoft Virtual TechDays is starting from the 18th February 09. In the security track, I will be...
Date: 02/15/2009
catch the security flaw #5 (flaw and its countermeasure)
In my last post, I showed input validation code that uses RegularExpressionValidators improperly....
Date: 12/29/2008
Catch the security flaw #5
A lot of web applications use RegularExpressionValidators for performing input validation [1]....
Date: 12/21/2008
Catch the Security Flaw(s) #4
Identify as many security issues as you can with this piece of code:- 1: [WebMethod] 2: public...
Date: 12/02/2008
NASSCOM – DSCI Information Security Summit 2008 Security Tutorial
My colleague Sagar and I will be conducting an application security workshop at the NASSCOM – DSCI...
Date: 11/24/2008
How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved
- Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval...
Date: 08/04/2008
Catch the Security Flaw #3
Quite a few web applications encrypt query string values. This is generally done as an added measure...
Date: 07/14/2008
Confusion property of symmetric block ciphers
Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered...
Date: 07/14/2008
catch the security flaw #2 (flaw and its countermeasure)
In my previous “Catch the Security Flaw” post I wrote about a flawed CAPTCHA implementation. In this...
Date: 06/16/2008
Catch the security flaw #2
Consider a fictional web site that lets you create new accounts (as shown below). This site...
Date: 03/31/2008
Catch the security flaw #1 (Flaw and its countermeasure)
It is time to discuss the flawed code that I posted a couple of weeks back. The comments posted were...
Date: 02/08/2008
Catch the security flaw #1
I will be from time to time, putting up flawed code as an open question on this blog. Those who can...
Date: 01/23/2008
Common Authorization flaw in Web Applications: Why disabling buttons (or other controls) is not enough?
I have seen quite a few web applications that rely on disabling controls for authorization. Consider...
Date: 01/22/2008
XSSDetect: Tool for finding Cross Site Scripting bugs
About a month back, ACE Engineering released "XSSDetect", a stripped down version of the "Code...
Date: 12/06/2007
Block Ciphers: Simple attack on ECB mode
This is nothing new, but I just wanted to document it on my blog. Block ciphers encrypt data in...
Date: 11/27/2007
ClubHACK 2007: I will be presenting some “Subtle Security Flaws”
In its own words, "ClubHACK is one of its kind hacker's convention in India which serves as a...
Date: 11/26/2007
The Unbreakable Cipher
The concept of perfect secrecy is that given the cipher text, and any resources and amount of time,...
Date: 11/15/2007
Common Authorization Vulnerability in Thick Client applications
Consider the following architecture for an intranet application. A thick client installed on the...
Date: 10/31/2007
Browser Security: Why you can’t get the file that the user doesn’t want you to get?
In the year 1995, there were eight options for the “type” attribute of the “input” element. These...
Date: 10/01/2007
Catch the security flaw: Configuring encryption from Web Server to SQL Server
I assess software security for a living, but I almost missed this one. <connectionStrings>...
Date: 09/10/2007
SQL injection: Dynamic SQL within stored procedures
Most resources on the internet concentrate on dynamic SQL in the data access code as the cause of...
Date: 09/05/2007
How To: Run Sql Server Agent and Sql Server Jobs with least privilege in Sql Server 2005
How to: Run Sql Server Agent service under an account which is not a member of the local...
Date: 08/30/2007