I looked back at the “predictions” for 2010, a post I wrote five years ago, and found that besides the dramatic increase in mobile assessments this last year or two, the things I was banging on about in 2009 are still issues today: Developer education is woeful. I recently did an education piece for a developer… Read More


This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes: Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable… Read More


So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin. Changing the prefix is easiest done with a new installation, but my installation dates from the very first… Read More


This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need… Read More


If you are participating in the OWASP Developer Guide, I want to have another status meeting Friday next week. Friday 2nd November 1300 UTC Saturday 3rd November 0000 AEDST (my time zone) Come be my friend on Google+, and ask to be in my OWASP Guide circle. This circle can participate in the Hangout. Hope… Read More


The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide. The reality is our field is just too big to do big bang projects. We need to… Read More


Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog. Security has to be a intrinsic element of every system, or… Read More


It’s been nearly seven years since I finished the herculean effort of holding down a day job and leading, editing or excising the existing material, cat herding all the collaborators, and writing a goodly portion of the OWASP Developer Guide 2.0. I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website.… Read More