Trying to get out from under the multiple firehoses right now (getting to know the people, the architecture, and the way forward), but at least I’m not drowning and starting to see open skys
More to come, but this via one Michael Howard pointing to an article by the “other” Mike Howard on campus, [...]

Posted in Microsoft, Security No Comments »

SSLLabs have just released two quite interesting resources – their SSL Server Rating Guide and the Public SSL Server Database.  As web server and application security are heavily tied to both the use of, and the strength of SSL, it’s nice to see these two things released and giving information on correct configuration.
Now my two [...]

Posted in Security 5 Comments »

The next episode of WebSec101 which covers the topic of authorization has been posted to the Foundstone site.
http://www.foundstone.com/websec101/
Although not talked about as much as SQLi or XSS, authorization is the number one flaw you have to make sure your app is not vulnerable to.  Not a lot of technical discussion in this webcast, but a [...]

Posted in Security, WebSec101 No Comments »

The next episode of WebSec101 which covers the topic of authentication has been posted to the Foundstone site.
http://www.foundstone.com/websec101/
As ever, enjoy, and if you have any feedback/comments you know were to look.

Posted in Security No Comments »

Looks like Jakob Nielsen is at it again.  The man certainly knows his usability stuff, and although he’s often controversial, and seldom “wrong”, he does put out some “doosies” every once in a while.  His latest column on web usability calls for people to stop using password masking – effectively not using the “type=password” attribute [...]

Posted in Musings, Security 3 Comments »

After some delay, WebSec101 is live!  What is it you ask?
The WebSec101 series introduces the basics of web and application security in easy to digest 20-30 minute webcasts. It aims to give brief introductions to each of the major topics in testing, developing and securing web applications, and points the viewer to more detailed material [...]

Posted in Security 2 Comments »

Thanks to Jeremiah Grossman (via twitter), I found this post on the Mozilla blog.
Shutting Down XSS with Content Security Policy
A Jeremiah says, this is a game changer in the realm of XSS.  By making some small modifications to how you use JavaScript in your site (putting it all in an external file served by an [...]

Posted in Security No Comments »

Thanks to Alex (who BTW is leaving Foundstone to go back to university – the very best of luck mate ), I heard of this collection of plugins that Adam Muntner has put together.
https://addons.mozilla.org/en-US/firefox/collection/webappsec
Certainly a great collection – I have some of those installed myself, but certainly not all as I’m much more of [...]

Posted in Security 5 Comments »

Well, certainly looks like the Information Security Tools Team have been busy   A post by Mark Curphey lists out all the things they have been working on and planning to release later in the year.
Risk Tracker, CAT.NET, Anti-XSS, Threat Modeling Tool, which are all public (and even open source!), and some projects that [...]

Posted in Misc, Security No Comments »

Great post by Rich as Securosis of where he sees the state of web application and data security at the moment (based on customer contacts).
The first thing I really like about this post is the introduction where Rich outlines the inherent biases he faces as an analyst, and we all face in one way or [...]

Posted in Industry, Security 4 Comments »