I’d like to announce the inaugural Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me) Defenses change the world. Defenses make software more secure – permanently, and…
Category: OWASP
Force.com secure code review howto Part 1
For those of you who have to review unusual platforms, here are my notes for reviewing apps coded in Apex and Visual Force. As I learn more, I might add some additional entries, but I’ve been so constrained with time for so long, don’t hold your breath. Terminology and Basics Force.com is Sales Force’s SAAS…
Code of Hammurabi – or 4000 years later, we still haven’t got it
The Code of Hammurabi is one of the earliest known written laws, and possibly pre-dates Moses’ descent from the Mount. In it, we get a picture of the Babylonian’s laws and punishments. In particular, there’s this one: If a builder builds a house for someone, and does not construct it properly, and the house which…
Risk Management 103 – Choosing Threat Agents
A key component in deciding a risk is WHO is going to be doing the attack. The above image is from the excellent OWASP Top 10 2010, and I will be referencing this diagram a great deal. We’re talking about the attackers (threat agents) on the left today. So you’re busy doing a secure code…
Risk Management 102 – when is a high a high
There’s a lot of consultants (and clients) who know little to nothing about proper risk management. This is not their fault – it was never taught at computer science or most similar courses. If you get good at it, you’re unlikely to be a developer or a security consultant. That’s a shame, because risk management…
Intelligent Session Manager Architecture
As security researchers, I think we’ve let down users in the quest to close down questionable and unlikely events. The problem is that even though unlikely, these events – such as MITM attacks – work nearly 100% of the time. They make great demos to scare folks who don’t understand what they’re seeing. It’s a…
Sticking your neck out
For as long as I can remember, the standard “security” talk is a negative and destructive talk, where the presenter presents their latest “research” as if it’s going to solve world hunger, totally end the Internet as we know it, cure herpes, or put the spooks out of business as anyone could spy on the whole…
OWASP ASVS – also good for architecture reviews
I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template. The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any…
OWASP Top 10 2010 – Cheat Sheet
Here is a two page cheat sheet for the OWASP Top 10 2010. OWASP Top 10 2010 Cheat Sheet (100 kb PDF) Double side to create a single piece of paper and hand it out to all your developers for free – it’s licensed under a Creative Commons Sharealike with attribution license. Once I’ve had…
Advanced Persistent Threat – risk management by a new name
I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the…