It’s time to do some curating of the OWASP Developer Guide. This is where my tastes meet the community’s – what do you want in the Guide, and what do you want out of the guide? As much as I want to be comprehensive, there is a real risk that a 800 page book would…
Category: OWASP
OWASP Guide 2013 Development
It’s been nearly seven years since I finished the herculean effort of holding down a day job and leading, editing or excising the existing material, cat herding all the collaborators, and writing a goodly portion of the OWASP Developer Guide 2.0. I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website….
Security trends for 2012
Folks will continue to use abc123 as their password. They will then be surprised when they’re completely pwned. Folks will continue to not patch their apps and operating systems. They will then be surprised when they’re completely pwned. Folks will continue to use apps as administrator or god like privileges. They will then be surprised when they’re…
On APT
Recently, RSA was attacked by adversaries who targeted their two factor authentication fobs. These devices have known MITM issues, but folks still used them because there was so little information out there to say that a better choice is required. RSA liked it that way. RSA chose not to discuss the details of the attack,…
Upcoming speaking engagements – AusCERT and iTSMF
I am scheduled to talk or give tutorials at a couple of places so far this year. AusCERT I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard. This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design…
OWASP Podcast 82 – Authorship of OWASP Top 10 2007
Dave Wichers* appears in the latest OWASP Podcast (go get it!). In the podcast, he goes through the huge number of OWASP projects he’s been involved in. There’s no doubt Dave’s massive investment in time, intellectual property, and money have been instrumental to OWASP’s success. Without Jeff and Dave’s leadership and contributions, OWASP would be…
Need a secure code review? We have slots available
I don’t normally pimp my employer, but I’d rather be doing secure code reviews than pen tests any day of the week. 🙂 We have open slots in our schedule for secure code reviews starting from mid March 2011. We perform our code reviews against the OWASP Application Security Verification Standard Level 2B – Automated…
Take Two on Top 10 2010 Security Defenses
A little while ago, I was thoroughly sick of the usual attack attack attack gumpf, and decided to put up a competition for Top 10 defenses. Epic fail. Looking back at it, attacking the attackers is not a winning strategy. It’s a fact of human nature that it’s better to be a hot firefighter putting…
Security checklists are not bad, it’s how they’re used
There’s a meme that’s been running around the anti-PCI DSS crowd for a while, that’s starting to get good traction in otherwise sane infosec folks: (Paraphrasing) Checklists don’t work Actually, PCI DSS is making in-roads in containing data breaches. See for yourself. So what’s the big deal? Those who know me, know several things: I…
Passwords are neither free nor cheap
I don’t know how many clients over the last decade I’ve been trying to get this basic fact through their very thick business skulls, but here goes again: PASSWORDS ARE NOT FREE PASSWORDS ARE NOT CHEAP PASSWORDS ARE NOT SAFE PASSWORDS ARE NOT ACCEPTABLE FOR HIGH VALUE DATA / APPLICATIONS. EVER. Vodaphone has found this…