It’s that time of the year again. In my previous list, it turned out I did some of the things I said I would, and a lot more besides.
In 2008, my desires are:
- Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife
- Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?
- Finish at least one piece of first class research in the web app sec field
Although my time will now necessarily be limited out of hours, I think it’s better to complete one or two really good ground breaking ideas than to spurt the same old, same old things over and over again. I think many of you know what I’m currently researching, and I hope to finish that by the end of the year.
My currentĀ research is mainframe security as it applies to web applications. This is where the high hanging fruit (the golden apples) lie. If you can
a) fake or bypass authentication
b) fake or bypass authorization
c) spoof logging or otherwise destroy accountability
d) interact directly or indirectly with a deeply nested service of value
e) manipulate data to violate integrity (creation, update or delete)
f) view data (read)
you are most likely to pwn the high hanging fruit. It’s actually amazing to me how LITTLE information is available on securing this stuff, and how often products which are marketed as “enterprise ready” and “secure” are actually not worth running a faulty bidet let alone left in charge of multi-trillion dollar a day roles.
Then there’s the dumb architectures which often use clear text protocols, unauthenticated transfers (often using ftp or worse), batches with no integrity and no accountability controls, and so on. This field is amazing that no one has taken the time to really learn how to do it properly. It is not 1969 any more. The days when the data center was guarded and that’s how the punch cards arrived and the tapes left no longer apply.
However, there’s a few protocols and common transports which need some help first. I’m going to blog on those in the near term future.
vanderaj on December 21st 2007 in OWASP, Security
After the emergency caesarian, Tanya needed me quite a bit, so I ended up staying in the hospital with her until Friday. The rooms in the MCU are nice, but the fold out arm chairs which become a bed for the odd stay here and there are not so good for my back. Things were a bit strange as we didn’t have Mackenzie in the room with us, but down at the NICU where she was being closely monitored.Mackenzie was a little irritable in the first few days, but in the end, she didn’t need any medicine to help her over the meds that Tanya had to take to make it through the pregnancy.I had my diabetic nurse appointment at 9 am, so the commute two floors down was pretty easy. It turns out I have type 2 diabetes, which is not so good, but the prognosis is good if I can lose the weight, which should also help the high blood pressure and the sleep apnea. We talked about a bunch of stuff, but the main thing is behavior modification, along with diet and exercise changes. I have way more to learn about living with diabetes, including learning to live with pricking my finger four times a day.However, during the diabetic appointment I started having the sniffles, and soon enough it’s turned into quite the rotten cold. I’ve been unwell now for a number of days, which is no good when all I really want to do is hold Mackenzie. I still feel a bit disconnected from it all as we didn’t have her in the room, and because of the cold, I really haven’t had a lot of opportunities to bond with her beyond a feed here or there.
What a week!
Today, we came in for a nice ultrasound with the in-laws so they can see, and maybe beg our obgyn for an earlier inducement. We sort of got what we wanted, and then some! We never made it to the obgyn appointment as things had moved on!
In a whirlwind, it turned from being low on amniotic fluid to immediate inducement followed by lots of pain then to much earlier than expected epidural to … well, let’s just say a lot of folks rushed in and thirty minutes later we are the proud parents ofMackenzie Lynne van der Stock!
Awesome! She might have come a little early (38 weeks), but that’s not a day too soon for Tanya, who has had a very difficult pregnancy.
Mackenzie weighed 2.75 kg (about 6 lbs 1 oz after conversion - even the US folks measure in metric for babies now!) and is 50 cms long today.It’s been very exhausting and I’m using a tiny connection to the Internet via my mobile phone, so things will have to wait until tomorrow. We have photos and movies.
UPDATE: Photos here:
http://picasaweb.google.com/vanderaj/Mackenzie/
Well, I’ve been extraordinarily busy this year. Far too busy to do much beyond scratch myself. I feel bad as I:
- Didn’t end up writing a book, much to my wife’s relief
- Failed to blog as much as I wanted to, particularly on the layer 7, 8 and 9 issues such as business logic flaws that I love so much
- Left the OWASP Board without achieving anything major organizationally in the last twelve months. I never intended to stay on the board forever, but I achieved far less than I could have in the time I had, such as adopting a proper Foundation / Core / Leaders
- Failed to release any new releases of UltimaBB through complete inactivity
- Failed to lose any weight. In fact, I put on 15 kg since arriving in the USA, the single largest one year bump ever
- Failed to work on the OWASP Guide (much)
- Failed to improve my (weak) Japanese or learn Spanish even though that would be handy as you hear it so much here. My iPod is bursting at the seams with hundreds of Japanese and Spanish lessons, and I’ve listened to like five episodes all up
Listing it out like this, it’s like 2007 was a big fat failure. But that’s not entirely true:
- Moved to the USA and settled down. This doesn’t sound like much, but only if you’ve never moved country.
- Made a baby with my lovely wife. Our daughter is coming real soon now - we’ve had several close calls and she can’t wait to get out by the looks of things
- Saw about 25 of the 58 possible states*. The USA is awesome. I’ve been from Miami to Boston, from NYC to LA, and it’s so totally different and yet familiar. I can’t wait to see more.
- Got the job of a lifetime. The guys at Aspect are everything I thought they’d be and more. It’s a wonderful work environment with great people at the top, funny co-workers, and the work is challenging and varied, which is just up my alley.
- Lead Author and Editor of the Top 10 2007. That was a huge undertaking - incorporating all the other folks efforts. I’m glad it’s out there
- With my OWASP and Aspect hats on, worked on the SANS GSSP for Java with a bunch of other folks. We need certifications to get rid of the unqualified cowboys from our field. I am reasonably certain that multiple choice exams are NOT the way to do this, but it’s not likely my way (a master’s like dissertation or practical project) would fly
- Worked on the SANS Top 20 again (and got Jeremiah in on the act - he updated the first draft this year - much kudos to him!)
- Got the XMB folks back up on their feet with a dynamic set of programmers… which sort of took the wind out of UltimaBB, but that’s okay. XMB deserves all the success in the world after so many years of being effectively mismanaged
- Worked on researching mainframe security for web apps, which seems a total blank slate, yet vital to the world’s financial industry.
So next year, I plan to revisit some of my favorite themes, but I will only blog once in a blue moon by design. The blog entries will be farther apart, but I plan to make them content rich. Many of them will be previews for new OWASP research. In the meantime, I’m sure my life is about to completely change by a small 3 to 4 kg baby girl. We’ll see what happens next year!
* I say 58 not because I’m geographically challenged, just that Australia is the 51st through 58th (puppet) states. We’ll see if the new PM is a bit more independent or whether we trade one colonial master we ignore for another