I’ve had the manuscript of this book for about two weeks now. I approached this review from the point of view of having had a contract to write an Ajax security book myself, with No Starch Press. I actually approached Billy to see if he wanted to help write my book at Black Hat in…
Category: Security
Why does forum software has more security features than “enterprise” tool chains?
I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically: They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions They do…
Security Engineering
One of the really cool things my job allows me to do is go teach developers and managers about application security. In the past, I’ve half jokingly said “when the revolution comes, X will be first against the wall”, where X is a product or company who has no clue about security and worse, they…
InfoSec Sellout Pwned
It’s sort of ironic funny when a blogger who is against FUD in the security industry get pwned by sploggers. Seriously not safe for work:
Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant
A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have: Fear – Pretty much every talk Uncertainty – you betchya Doubt…
OWASP Guide 3.0 Starts
Well, I’ve had a bit of a holiday … doing work, and it’s time to pick up the pen and start writing again. I was struck by the Wiki at just how hard it was to edit and get it the way I want it to look. Even more so when my free time coincides…
The mainframe conundrum
It would have been nice to get Web 1.0’s security fixed first before starting on Web 2.0. And before Web 1.0 was … the mainframe. In my time with health care providers, at one of the world’s largest telcos, at various largish Australian banks, and over the last few weeks teaching mainframe folks about secure…
Dumb: Safari 3.0 does not support HttpOnly
Sad Andrew 🙁 🙁 🙁 Reading: Writing:
Why I will have a job in 2035, or how to write a successful talk submission
In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today. Why? I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken…
Time to start on the Guide 3.0
It’s time to get moving again. The Top 10 2007 is out. So it’s time to look at the raison d’être of OWASP – The OWASP Guide. The OWASP Guide is a compendium of best practices, what not to do (in 2003-2005), how to test for a problem, and occasionally comically bad English. I did…