Being held for the first time on March 18, 2008 at the historic Roosevelt Hotel in New York City, AJAXWorld Security Bootcamp is a compelling, intensive, one-day, hands-on training program that will teach Web developers, Web designers, and other Web professionals how to build secure AJAX applications and demonstrate what the best practices are to mitigate security problems in AJAX apps. It is led by one of the world's foremost AJAX security experts and popular teachers, Billy Hoffman.

Fourteen years ago I warned MyBank (who is not one of my clients, I am one of theirs) about using social security numbers as solid identification. The Head of Security, three weeks retired from the Secret Service, said he would look into it. Nothing has changed except the security at MyBank has gotten worse.

Criminal gangs are increasingly using the Internet to extort money from businesses. Thousands of Distributed Denial of Service attacks occur globally every day and it' vital that senior management wakes up to the very real risk of such an assault. The rise of the Internet has carried a number of threats in the form of viruses, hackers, worms, and malware.

Successful businesses execute simultaneously on three fronts: sustained revenue growth, continuous cost control, and comprehensive risk management. Driven by a significant rise in public awareness of information security breaches, the discipline of risk management is under increased pressure to protect the information assets of the business better. This pressure has resulted in a great deal of confusion about the best course of action, and more than a few ill-considered measures have been put in place. But businesses need not fret. The solution comes in a process they already understand, albeit with an intuitive reorientation of traditional thinking.

Information security assurance is a topic that has developed quickly over the last few years. Drivers for its rapid development include the development of computers at the pace of Moore's Law during the information revolution of the last century. Motivation for interest in the topic stems from the more recent Internet revolution, the focus on critical infrastructure related to Homeland Security, the increased emphasis on corporate governance, and the increasing awareness of privacy matters as society recognizes the dangers that accompany IT advances.

ChoicePoint, CardSystems, LexIsNexIs, Polo Ralph Lauren. The headlines in 2005 were littered with cases of high-profile security breaches and customers, partners, and government are increasingly holding businesses accountable for the security of their applications. Poor application security can result in heavy downstream remediation and management costs, as well as productivity problems, hits on revenue, compliance issues, and damage to corporate reputations.

Most enterprise organizations are undertaking new projects in 2005-2006 to address the issue of endpoint security. The results of the 2005 Security IT Adoption Survey showed that 74% of respondents are budgeting, doing research on, or implementing an endpoint security solution this year.

I often think like I'm paranoid. I get paid for it. So when I think about availability, I can conjure up an amazing array of things that can go wrong. But, instead of discussing the many security-related aspects of your storage systems availability, let's talk about how your systems may be too available. That's right - too available.

The brouhaha over a presentation given last week by Michael Lynn has taken on a life of its own on the worldwide web. No surprise here. Lynn's presentation can be found easily, as can many other interesting related items. SYS-CON Media herewith presents a few things we've found.

When my company was designing its data center, we had to make a choice: What kind of database storage system was going to be the backbone of our operations? As in most things IT, the options were seemingly endless, and there are many criteria to consider before investing time or money into development and deployment.

The recent startling announcement that the SHA-1 hash function wasn't as secure as believed raised interesting questions in the world of one-time password technology, since the newly proposed HOTP algorithm is based on SHA-1: Should the industry standardize around a single one-time password (OTP) algorithm' And what role should algorithm agility have in the future of one-time passwords?

Based on recent incidents, C-level executives are quickly realizing that in today's increasingly regulated and distributed environments, it's no longer sufficient to rely on status quo barriers of protection for critical corporate information. Instead, security executives are now faced with developing a comprehensive, ground-up strategy to protect critical information at all times from attack.

Version upgrades from software, infrastructure, and security vendors give businesses the impression that their enterprises are protected from new threats ? but is it a false sense of security? The answer is yes if your security deployment doesn?t address the elements that comprise today?s threat landscape.

I'm going to make two predictions. One: Every single American will have his identity stolen in the next five years. Two: Some of the management folks who read ISSJ will go to jail in the next five years for poor security practices.

For the better part of a decade now, companies have been buying defensive security technologies to secure their IT networks by identifying, defining, and then blocking the threats. By constantly updating a 'blacklist' of things that should be barricaded outside of the network, security administrators figured that they could keep their PCs and servers from being infected by malicious code. In the current environment, however, blacklisting has become a Herculean task of decreasing effectiveness. Zero-day attacks are now common. That's when there's no blacklist signature for the malicious code until after the damage is done. New worms, viruses and vulnerabilities are discovered daily, and a new generation of blended threats - attacks that combine some of the most harmful and pernicious characteristics of the latest worms and Trojans - are taking their toll on corporate systems and networks. Organizations have become so reactionary in defense of their systems - and so narrow in focus - that they're spending a lot of their resources on the ad hoc defense of single exploits. Every time a big enterprise mobilizes to test and apply a patch, it can strain both time and the budget - emergency patches often cost hundreds of thousands of dollars. And a zero-day attack would render the updating useless.

The Internet is now indispensable to business at the cost of Internet abuse. Spam cascaded from an annoying trickle to a raging flood of ads, viruses, spyware, and phishing scams that pour into millions of inboxes everyday all over the world. With upwards of 80% of all e-mail traffic now spam, it's no wonder that organizations worldwide are looking for new ways to eradicate this blight.

Companies implementing Voice-over-IP (VoIP) technologies to cut communications costs shouldn't overlook the security risks associated with a converged voice and data network. Tempted by the thought of lower phone bills, centralized management and rapid deployment, VoIP security and network integrity are often neglected. There are numerous weak points to consider in a VoIP network - the call servers and their operating systems, the phones and their software, even phone calls themselves are vulnerable.

For IT managers, consolidating all the corporate data in a single storage infrastructure at the data center is the easiest, most cost-effective way to manage and protect the data. To branchoffice users, WANs delay access to the centralized data and make a consolidated infrastructure unworkable. As a result, more than half of all corporate data is stored on largely unprotected branch office file servers and computers.

As wireless use increases, companies that deploy corporate Wireless Local Area Networks (WLANs) open new dimensions of security vulnerability. Clearly, these companies need to address wireless security management as part of their overall security policies and architecture.

Antonio Marcelli killed people for a living. At least a few he admitted to. The feds caught him, he turned state's evidence, testified in open court against the capos and subsequently entered the witness protection program. He was safe until his new name and location hit the Internet.

New security threats are growing in frequency, sophistication, and danger. While perimeter-focused security can mitigate risk from known attacks, real protection comes from identifying and reacting to any new threat the instant it hits your network.

Storage networks have become critical components of corporate computing environments. Regardless of the type of storage technology, these networks have been designed as if the storage environment and all of the components are already secure because security is provided by other networked systems.

Inevitably, intruders' most attractive targets have the weakest defenses. Therefore, it shouldn't be surprising that enterprise applications and databases are increasingly coming under attack from the kind of threats once associated mostly with operating systems and desktop applications.

The security industry has a massive problem. Despite a constant flow of patches, millions spent on firewalls and IDS, and updated security procedures, we're still plagued by the insider threat - malicious hackers infiltrating networks using legitimate, but stolen, credentials. As long as there are ways for malicious hackers to find 'legitimate' ways into your network - and there are dozens of easy ways - networks will continue to be compromised.

Every organization is confronted with the question of how best to manage digital identities in order to effectively control access to and use of its IT application resources. To grasp the extent of this challenge, consider the stages of an identity's lifecycle, and the processes, practices, and tools needed within each stage.

If you are responsible for finding vulnerabilities on large or small enterprise networks, you are faced with a variety of political and technical challenges in doing your job. Fortunately, there have been a variety of new developments in the art of enterprise vulnerability detection that make use of new and old technologies.

New security threats are growing in frequency, sophistication, and danger. While perimeter-focused security can mitigate risk from known attacks, real protection comes from identifying and reacting to any new threat the instant it hits your network.

In anticipation of Microsoft’s Windows XP Service Pack 2, Computer Associates announced that it has added security updates to its eTrust security management solutions for both consumers and corporate customers.

Panda Software will be introducing early version of its TruPrevent antivirus technology early in an effort to curb the insurgence of new viruses.

The new 802.11i standard has now been officially approved. 802.11i adds the Advanced Encryption Standard (AES) protocol to the existing 802.11 spec, so WLANs will in future benefit from the stronger form of encryption found in the Wi-Fi Protected Access (WPA) mechanism.

'Security is as big and important a challenge as any our industry has ever tackled,' wrote Bill Gates in his latest 'Executive E-mail' to Microsoft's customers worldwide. 'It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc,' he continued.

Sun's EVP of Software, Jonathan Schwartz, stated at a Software Day on the Sun Microsystems campus this week, that 'Sarbanes-Oxley will be a huge driver, as viruses and Sarbanes-Oxley are essentially about the same thing: knowing where the content is coming from and who the source is.'

Developers wanting to expose applications beyond proprietary runtime environments like the CLR should utilize XML Web services. XML Web services facilitate appli cation-to-application interoperability across heterogeneous environments. Coupled with numerous standards and specifications, XML Web services form the basis of a highly distributed computing model. At the heart of this model lies the Simple Object Access Protocol (SOAP). SOAP defines a simple and extensible XML-based messaging framework that can be targeted by a variety of different programming models and over variety of different transport protocols.