“He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984 Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the…
Category: OWASP
A review of 2008
Last year, I made the following observations / resolutions. Let’s check out how well I did: Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. I think I succeeded at this one Lose some weight and mean it this time. What New Year’s…
OWASP EU Summit
Although I am unable to attend, I hope you can attend the OWASP EU Summit, to be held next week in Portugal. There’s going to be lots of discussion about OWASP’s various projects, and work out futures for all of them. It’s going to be a defining event in OWASP’s existence, and I wish I…
WebScarab For Eclipse
This lunchtime, I did something I’ll probably later regret: creating a new project. As if I don’t have enough on my plate already. The idea has been rattling around my head for a while – I use Eclipse nearly all day, and I figured that Eclipse is a great toolchain hosting platform. It gets rid…
Black Hat 2008
Well, I’m back from another year at Black Hat. This time, I taught one of my company’s 2D Web Application Security courses. I think I may have been one of the very few courses that concentrated on defense, which is Black Hat’s tongue in cheek slogan (“Digital Self Defense”). I taught the folks in there…
OWASP Guide 3.0 and Coding Guide 2009 Start
I’ve been busy over the weekend. I met with Blake Turrentine at a diner near where I live. We had a good long discussion over breakfast on the future of the Guide 3.0. The Guide 3.0 will be about how to design apps and code securely. That’s it. Only positive controls will be discussed unless…
Feelings of Rejection
In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper…
HttpOnly Update
Jim asked a great question – what is the current state of the nation for HttpOnly? I’m glad he asked! Pass – read/write cookie protection IE 7.0 Firefox >= 2.0.0.5 Firefox 3.0 beta Camino 1.5.4 Barely Pass – read only cookie protection IE 6.0 Opera 9.50 beta Fail – no cookie protection Safari 3.1 Firefox…
ESAPI for PHP is go
I’m working (slowly) on porting ESAPI to PHP. This will be great! So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already. …
Reaching for the high hanging fruit
My current research is mainframe security as it applies to web applications. This is where the high hanging fruit (the golden apples) lie. If you can a) fake or bypass authentication b) fake or bypass authorization c) spoof logging or otherwise destroy accountability d) interact directly or indirectly with a deeply nested service of value e)…