For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes: As far as the nature of the list…
Category: Security
SANS Top 20
The SANS Top 20 2006 update has been posted. SANS Top 20 2006 I helped write the C1 Web App Sec section: C1. Web Applications We’re working on the updated OWASP Top 10 2007 which interlinks with that. It’s an interesting experience writing something like this for a completely different audience than web developers. As…
Survey at Casa de Grossman
Jeremiah sent me a survey to fill in. Normally, I don’t like participating in surveys, but this time I made an exception. Jeremiah noted that my responses, although not quite in the boxes he had set out, were still actually pretty useful. So here are my responses: 1. How many code reviews did you do…
Attack vector for Windows Genuine Disadvantage
The other day, WGA decided that my volume licensed copy of Visio was a pirated copy. This is laughable… and annoying. Luckily, the situation sorted itself out; I have Visio 2007 installed and I was able to use that until Microsoft used the rubber hose on WGA’s servers. But it got me to thinking how…
MITRE Vulnerability trends released
In September, MITRE talked about statistical proof that apps still suck on a mail list. In fact, web apps suck much more than any other form of vulnerability. MITRE was surprised that their data set was so popular, and cleaned it up and released it. http://cwe.mitre.org/documents/vuln-trends.html These will form the basis of the OWASP Top…
Reviewing Spring Web Flow apps (and JSTL and Spring Framework)
Well, I’ve just had the (somewhat dubious) pleasure of reviewing my first Spring Web Flow app. Initially, I thought ARRRRGH Aspect Oriented Programming (AOP) dudes are on crack… and then I got the Kool-Aid. Here’s the low down for all you l33t code reviewers: it makes doing code reviews extremely hard … and extremely easy….
Come see me at Ruxcon
My next speaking engagement (I’m such a junket slut) is Ruxcon. Ruxcon’s site See you there!
Behavior profiling for web apps
I regularly read Bruce Schneier’s blog. Last week, he blogged about behaviorial profiling. One of the key methods of detecting fraud is anomaly checks. I think this can be done statistically by reviewing history about a user and determining how likely it is that they will perform any particular set of actions. I am thinking…
Ajax Security
Good news, everyone! I’m writing a new book on Ajax Security. You can follow development at http://www.ajaxsecurity.info/ I am looking for a co-author to bring the book to fruition faster (and to avoid marital breakdown!), so if you’re interested and have lots of Ajax and security experience (20 years or better!) and have the mad…
PHP 5.2 to get HttpOnly!
Ilia has just blogged that HttpOnly is now supported in PHP 5.2. This prevents the usual sort of basic XSS attacks, like: Supported browsers: IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks) IE 7.0 – prevents reading and writing – safest Safari 1.3 – not support (update)…