July 2, 2008Congrats to RSnake for working the the ’softies and breaking the news that IE8 will have anti-XSS technology built into the browser.
This is really very cool, and as RSnake says, a big step in the right direction - programmers will always make mistakes, and any methods we can help protect against buggy software from being [...]
Posted in Security 
No Comments »
June 19, 2008So, it seems that the whole VA+WAF discussion is clearly the “hot” topic in webappsec this week. First up we have the ts/sci post that I linked to earlier, Andre responded, and we also have a post from the guys at CGISecurity.
I’ll first address one of Andre’s comments before getting into the meat of this [...]
Posted in Musings, Security 2 Comments »
June 17, 2008One more post before I really should head off to bed
Another blog that I’ve read on-and-off, but has just got a permanent place in my RSS reader is ts/sci security. There been one post recently that although I don’t agree with 100%, certainly is “on the money”.
http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is
The only part I’m not sold on [...]
Posted in Security 2 Comments »
June 17, 2008Ages back I met Rich Mogull at BlackHat/DefCon and we got on really well. Turns out we have some strange shared background as he worked backstage on some of the same tours state-side that I did in Europe.
Anyway, Rich is blogging at http://securosis.com/
As an ex-Gartner security analyst he has great insight into the [...]
Posted in Industry, Security No Comments »
June 7, 2008Through my RSS reader I discovered the above named article the other day, so took a quick look. In some ways I wish I hadn’t, and I hope that not many other people did either.
The first few tips are pure “security by obscurity”, and you should never “sanitize” user inputs - either they passes validation [...]
Posted in Industry, Misc, Security No Comments »
June 3, 2008I ranted a little about data portability when I finally signed up for Facebook and did my "things change". Little did I know that only a few days later, my concerns about security on social network sites were to be proven via this data sharing feature.
Byron Ng seems to have a bit of a [...]
Posted in Industry, Security No Comments »
June 1, 2008Very good article by Bruce Schneier on how selling security is difficult and fraught with cognitive bias. A recommended read to anyone that has to sell security service both to other customers or internally in their own organizations.
Posted in Security No Comments »
June 1, 2008Hot off the heals of the XSS silliness between the Obama and Clinton camps, the my.barackobama.com site is looking for a network security expert to wants to…
…play a key role in a historic political campaign and help elect Barack Obama as the next President of the United States.
Ok, no mention of security in that opening [...]
Posted in Misc, Security No Comments »
May 30, 2008Now this is what I call a disaster recovery team! (follow the comments for some interesting side discussions as well).
One of the things us security guys do is think about the worst thing that could possibly happen. It’s nice playing Dr. Evil with these “what if” scenarios with clients to see how prepared they are [...]
Posted in Misc, Security No Comments »
May 20, 2008Following on from the previous post, this one contains my thoughts on how to “fix” the state of the web as it is today. My outlook is not to just bitch about something, but try to do something about it (if you are not part of the solution…). Not saying that these are in any [...]
Posted in Security No Comments »
