Top 2010 Defenses

I’d like to announce the inaugural¬†Top 2010 Web App Sec Defenses Compendium. I can’t offer prizes, because defenses are simply not that sexy. (If you do have prizes that could be offered, web app sec researchers will be over the moon. E-mail me) Defenses change the world. Defenses make software more secure – permanently, and […]

Code of Hammurabi – or 4000 years later, we still haven’t got it

The Code of Hammurabi is one of the earliest known written laws, and possibly pre-dates Moses’ descent from the Mount. In it, we get a picture of the Babylonian’s laws and punishments. In particular, there’s this one: If a builder builds a house for someone, and does not construct it properly, and the house which […]

OWASP ASVS – also good for architecture reviews

I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template. The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any […]

Advanced Persistent Threat – risk management by a new name

I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the […]