The Impossibles

I thought recently about the ways in which folks who are looking for research projects in web app sec might make a useful contribution to the field. Part of that is the list of impossible tasks – those tasks that are so hard that it is unlikely to be solved in my lifetime. If you […]

Securency and bribery

Australia developed polymer (plastic) bank notes from the 1970’s onwards, and they’ve been our currency since the 1990’s. This bank note technology is essentially counterfeit proof – notes can have holograms, microprinting, a transparent window, “watermarks”, very colorful inks, metallic strips, and the notes are long lasting and machine washable. There’s a lot of positives. […]

OWASP ASVS – also good for architecture reviews

I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template. The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any […]

Advanced Persistent Threat – risk management by a new name

I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the […]