I am standing again for the OWASP Board, again representing the Asia Pacific region, which is a huge growth area for OWASP globally. The growth opportunities in Australia, New Zealand, Singapore, Japan, Malaysia, Philippines, and in particular, Indonesia are immense. My goals for OWASP is to transition us from a small fast growing non-profit to a healthy sustainable non-profit,…
Category: OWASP
On backdoors and malicious code
So since the ASVS 3.0 retired much of the malicious code requirements, and after actually doing a line by line search of ~20 kLOC of dense J2EE authentication code, I’ve been thinking about various methods that backdoors might be created and not be findable by both automated and line by line searches. This obviously has…
Looking back at 2009 and Predictions for 2015
I looked back at the “predictions” for 2010, a post I wrote five years ago, and found that besides the dramatic increase in mobile assessments this last year or two, the things I was banging on about in 2009 are still issues today: Developer education is woeful. I recently did an education piece for a developer…
AppSec EU – DevGuide all day working party! Be a part of it!
Be a part of the upcoming AppSec EU in Cambridge! * UPDATE! Eoin can’t be in two places at once, so our hack-a-thon has moved to Tuesday 24 June. Same room, same bat channel. * Eoin Keary and myself will be running an all day working party on the Developer Guide On June 24…
Argumentum ad antiquitatem
This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes: Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable…
Securing WordPress with obfuscation
So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin. Changing the prefix is easiest done with a new installation, but my installation dates from the very first…
Time to update knowledge
This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need…
OWASP Developer Guide – time for a new meeting
If you are participating in the OWASP Developer Guide, I want to have another status meeting Friday next week. Friday 2nd November 1300 UTC Saturday 3rd November 0000 AEDST (my time zone) Come be my friend on Google+, and ask to be in my OWASP Guide circle. This circle can participate in the Hangout. Hope…
OWASP Guide 2013 – Developers needed!
The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide. The reality is our field is just too big to do big bang projects. We need to…
On penetration testing – harmful?
Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog. Security has to be a intrinsic element of every system, or…