For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes: As far as the nature of the list…
Category: OWASP
SANS Top 20
The SANS Top 20 2006 update has been posted. SANS Top 20 2006 I helped write the C1 Web App Sec section: C1. Web Applications We’re working on the updated OWASP Top 10 2007 which interlinks with that. It’s an interesting experience writing something like this for a completely different audience than web developers. As…
Survey at Casa de Grossman
Jeremiah sent me a survey to fill in. Normally, I don’t like participating in surveys, but this time I made an exception. Jeremiah noted that my responses, although not quite in the boxes he had set out, were still actually pretty useful. So here are my responses: 1. How many code reviews did you do…
MITRE Vulnerability trends released
In September, MITRE talked about statistical proof that apps still suck on a mail list. In fact, web apps suck much more than any other form of vulnerability. MITRE was surprised that their data set was so popular, and cleaned it up and released it. http://cwe.mitre.org/documents/vuln-trends.html These will form the basis of the OWASP Top…
Reviewing Spring Web Flow apps (and JSTL and Spring Framework)
Well, I’ve just had the (somewhat dubious) pleasure of reviewing my first Spring Web Flow app. Initially, I thought ARRRRGH Aspect Oriented Programming (AOP) dudes are on crack… and then I got the Kool-Aid. Here’s the low down for all you l33t code reviewers: it makes doing code reviews extremely hard … and extremely easy….
OSCON
Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia. Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we…
Press: Q&A on Ajax / SOA Security
Colleen Frye from SearchAppSecurity.com, interviewed me via e-mail a couple of weeks ago on the OWASP Ajax security research and materials I’ve been pumping out. Although she asked for brief answers, to paraphrase Mark Twain, I didn’t have the time to write shorter answers. The results are now available for your reading pleasure. Part 1…
OSCON 2006 – See you there!
Just a quick note as to the quietness of the blog. I’m working on a few things: my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up) doing demos for the above my slides for OWASP…
Updated Ajax Security presentation
I’ve updated the Ajax presentation to the slide deck I gave at OWASP EU. New pictures. More content. More size! (4.3 MB) Get it here: Ajax Security (4.3 MB PDF)
OWASP EU – Day 2
Excellent day again. I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust. – Leuven University The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan…