As it’s nearly time for Tanya and I to welcome our first (and probably only) child into this world, it’s time to simplify my life. To that end, I am no longer on the OWASP Board, and OWASP has selected two new board members: Tom Brennan and Sebastian Deleersnyder. This takes effect pretty much immediately. …
Category: OWASP
Let’s talk mainframes for a bit. Part 1: Background and AuthC
In larger organizations, the back end of a web application is a mainframe. The mainframe is the final frontier of application security: Uses a platform few if any in the application security industry know about Those who do know mainframe security rarely interact with the outside IBM trains young devs in how to program COBOL,…
OWASP / WASC AppSec 2007
It’s that time of the year again! Time to register for the OWASP / WASC AppSec 2007 Conference. Training Schedule Conference Schedule Secure Registration This is the conference track I dream about when I cry to myself re: lack of web application security in other security conferences. Awesome speakers, the Breach cocktail party (register now!…
Why does forum software has more security features than “enterprise” tool chains?
I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically: They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions They do…
Security Engineering
One of the really cool things my job allows me to do is go teach developers and managers about application security. In the past, I’ve half jokingly said “when the revolution comes, X will be first against the wall”, where X is a product or company who has no clue about security and worse, they…
Notes from Black Hat
Well, I had fun. You have to be basically a kill joy to not have fun in Vegas. Black Hat is getting busier and busier every year, and this year is no exception. There would have been easily three thousand folks at the event, and it was approximately 1.5-2.5 thousand too many, especially during breaks…
OWASP Guide 3.0 Starts
Well, I’ve had a bit of a holiday … doing work, and it’s time to pick up the pen and start writing again. I was struck by the Wiki at just how hard it was to edit and get it the way I want it to look. Even more so when my free time coincides…
The mainframe conundrum
It would have been nice to get Web 1.0’s security fixed first before starting on Web 2.0. And before Web 1.0 was … the mainframe. In my time with health care providers, at one of the world’s largest telcos, at various largish Australian banks, and over the last few weeks teaching mainframe folks about secure…
Why I will have a job in 2035, or how to write a successful talk submission
In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today. Why? I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken…
Time to start on the Guide 3.0
It’s time to get moving again. The Top 10 2007 is out. So it’s time to look at the raison d’être of OWASP – The OWASP Guide. The OWASP Guide is a compendium of best practices, what not to do (in 2003-2005), how to test for a problem, and occasionally comically bad English. I did…