In an open letter to Google, some familiar names in security call for Google, and other web-based application providers by proxy, to strengthen security by doing one simple thing – enable HTTPS by default.
If you haven’t read the letter, go back an do so [PDF link].  Please.  I’ll wait.  Lots of people don’t get the [...]

Posted in Uncategorized 2 Comments »

I’m really sorry – I stole the title to this post from Rich at Securosis.  It was just so perfect I couldn’t resist.  On a side note before I say my piece, will you guys (Secrosis) calm it down for a bit?  I can only read so many good posts a day (I have to [...]

Posted in Uncategorized 1 Comment »

I don’t think all that many people consider this when working as an external security auditor/tester/consultant, but something that worries me and sometimes keeps me up at night is knowing that you’ve “done enough” and “looked at and tested the right things, fully” on a particular engagement – especially when they are time-boxed (like most [...]

Posted in Uncategorized No Comments »

Haven’t been posting for a while because work is really busy right now.  More on that, and what I’m up to perhaps in another post but I’ve been asked to have a look at and post about The Building Security In Maturity Model.
I’ve always liked the idea of maturity models – it gives organizations an [...]

Posted in Uncategorized 1 Comment »

Well, it looks like the war of WAFs is ON!  TS/Sci Security have done a great series of posts on the topic, the vast majority of which I whole-heartedly agree with.  I’m sure that any readers of this blog would be reading TS/Sci, but if only so I can remember myself and have a record, [...]

Posted in Uncategorized No Comments »

I know that it may seem that I’m on a big rant as I’m moving out of SoCal, but honestly this has been brewing (and talked about with various people) for some time – I just haven’t had anything to point to and say “there!”.
A really cool article in the NYT a week or so [...]

Posted in Uncategorized No Comments »

It’s been a little under a month since I last posted for various reasons – both work (some interesting engagements have taken my time) and personal (family/friends visiting – it’s a bit rude to be surfing and posting while you have guests ) – and although there’s been a lot software and web security [...]

Posted in Uncategorized 3 Comments »

Also crossing my RSS feed today is the Web Hacking Incidents Database Annual report for 2007 [warning: PDF link behind free registration - I'm sure if you don't want to register, you know what do to ]
The ModSecurity blog summarized it nicely, but there are some areas of it that I find a [...]

Posted in Industry, Security, Uncategorized No Comments »

So, after a few technical hiccups, I’m finally "live". 
Check out the "about" and "contact" pages to the right, for more information, but for now it’s nice to have you visit, and hope you find something interesting.

Posted in Uncategorized No Comments »