So since the ASVS 3.0 retired much of the malicious code requirements, and after actually doing a line by line search of ~20 kLOC of dense J2EE authentication code, I’ve been thinking about various methods that backdoors might be created and not be findable by both automated and line by line searches. This obviously has… Read More

I looked back at the “predictions” for 2010, a post I¬†wrote five years ago, and found that besides the dramatic increase in mobile assessments this last year or two, the things I was banging on about in 2009 are still issues today: Developer education is woeful. I recently did an education piece for a developer… Read More

This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon¬†argumentum ad antiquitatem, which includes: Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable… Read More

So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin. Changing the prefix is easiest done with a new installation, but my installation dates from the very first… Read More

This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need… Read More

If you are participating in the OWASP Developer Guide, I want to have another status meeting Friday next week. Friday 2nd November 1300 UTC Saturday 3rd November 0000 AEDST (my time zone) Come be my friend on Google+, and ask to be in my OWASP Guide circle. This circle can participate in the Hangout. Hope… Read More

The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide. The reality is our field is just too big to do big bang projects. We need to… Read More

Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog. Security has to be a intrinsic element of every system, or… Read More