The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide. The reality is our field is just too big to do big bang projects. We need to…
Category: Security
Speaking at Linux.conf.au 2013
I’m glad to say that I’ve been accepted to speak at linux.conf.au 2013. My talk is how to apply the OWASP Developer Guide 2013 to your open source project. The Open Web Application Security Project (OWASP) Developer Guide 2013 is coming soon. In this presentation, you’ll learn about the major revision to one of the…
PCI DSS QSA vs ISA smack down
In his post “PCI’s Money Making Cash Cow“, Andrew Weidenhamer must have had a bad week of being challenged (or in his words, “bullied’) by an PCI DSS Internal Security Auditor (ISA). This is not acceptable, but QSA’s must accept that their advice is there to help the organization become compliant, not to provide a…
On penetration testing – harmful?
Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog. Security has to be a intrinsic element of every system, or…
OWASP Development Guide – what do you want in, and what do you want out?
It’s time to do some curating of the OWASP Developer Guide. This is where my tastes meet the community’s – what do you want in the Guide, and what do you want out of the guide? As much as I want to be comprehensive, there is a real risk that a 800 page book would…
OWASP Guide 2013 Development
It’s been nearly seven years since I finished the herculean effort of holding down a day job and leading, editing or excising the existing material, cat herding all the collaborators, and writing a goodly portion of the OWASP Developer Guide 2.0. I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website….
Safety culture – let’s add it
Last year, I was at a site which took safety very, very seriously. On the wall in a break room was a poster with several steps that I think we in the security industry could learn from: Eliminate the risk. In this case, if you see a risk and it has a known solution, that…
I hate being proven right – mass pwnage
Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security…
Security trends for 2012
Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re…
Hope
One of my favorite TV shows is the Gruen Transfer, a show deconstructing advertising. Don’t laugh, it’s the ABC’s #1 TV show. A few weeks back, one of the panelists revealed that there are two fundamental ways to sell things – fear, as in: Late 1980\’s Anti-AIDS advert and hope, as in: Durex condom…