Security trends for 2012

Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re […]


Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs. These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way. RSA chose not to discuss the details of the attack, […]

Upcoming speaking engagements – AusCERT and iTSMF

I am scheduled to talk or give tutorials at a couple of places so far this year. AusCERT I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard. This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design […]

OWASP Podcast 82 – Authorship of OWASP Top 10 2007

Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be […]

Need a secure code review? We have slots available

I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. 🙂 We have open slots in our schedule for secure code reviews starting from mid March 2011. We perform our code reviews against the OWASP Application Security Verification Standard Level 2B – Automated […]

Security checklists are not bad, it’s how they’re used

There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks: (Paraphrasing) Checklists don’t work Actually, PCI DSS is making in-roads in containing data breaches. See for yourself. So what’s the big deal? Those who know me, know several things: I […]