The following column was published on SecurityFocus today:

PHP apps: Security’s Low-Hanging Fruit
by Kelly Martin
published 2007-01-08

PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here’s how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web.

http://www.securityfocus.com/columnists/427

I’d like to announce the availability of a free security reconnaissance/firewall bypassing tool called 0trace written by Michal Zalewski. This tool enables the user to perform hop enumeration (“traceroute”) within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do.

The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table)

The tool is available here (Linux version):
http://lcamtuf.coredump.cx/soft/0trace.tgz

The draft NIST Special Publication 800-101, Guidelines on Cell Phone Forensics, is available for public comment. The guide outlines general principles and provides technical information intended to aid organizations evolve appropriate policies and procedures for preserving, acquiring, and examining digital evidence found on cell phones. Computer forensic specialists and members of the law enforcement community are encouraged to provide feedback on all or part of the document.

Get this document here : http://csrc.nist.gov/publications/drafts.html#sp800-101

Robert Auger (www.qasec.com) has written an excellent article about how the Quality Assurance phase of the development cycle can incorporate security testing into a standard test plan, and make it part of the regular testing cycle.

From the article :

"Part of software testing involves replicating customer use cases against a given application. These use cases are documented in a test plan during the quality assurance phase in the development cycle to act as a checklist ensuring common use cases aren’t missed during the testing phase. People within the quality assurance community are starting to understand that checking an application for security issues (defects) isn’t just the responsibility of the security department (if one exists), or the software architects"

Check the whole article here : http://www.qasec.com/cycle/securitytestcases.shtml