I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class. This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes,… Read More

Last night, I spoke to the phpMELB folks for an hour on ESAPI for PHP. The talk went well, and they taped it. When the video appears, I will link to it. More importantly, I worked on ESAPI for a couple of hours after returning last night, and finally have something to show everyone! ESAPI for… Read More

I’m working (slowly) on porting ESAPI to PHP. This will be great! So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already.  … Read More

A fair number of years ago, I had the “pleasure” of reviewing an application written in ASP. Unfortunately, it had over 2000 SQL injections. I do not know what happened to the company, which produced legal case management software, but it would have taken a great deal of work to re-engineer the code to be… Read More

The document is a complete re-write from scratch, and is totally up to date. It’s 34 pages of goodness wrapped in a shiny new document format. Essentially it’s over all bar the shouting… which comes next! The document will be uploaded to our Wiki in the next week (post-board approval). If you want your review… Read More

I’ve been busy on the Top 10 2007 with Dave Wichers and Jeff Williams. I’m very close to finalizing a draft release right now. This process made me think, how can we eliminate these issues? Why should every developer have to learn how to fix the same problem? We know On some frameworks, some classes… Read More

All the cool kids get the press for the wrong reasons. It’s much easier to destroy than to create. Therefore, my 2006 and 2007 lists will only highlight those things which I think have helped create safer web apps, not made it harder for us to protect against them. 2006 Highlights IE 7.0 released. Seriously.… Read More

For the second time, I helped SANS compile their Top 20. I don’t know about the other sections, C1 is primarily my section. As always, there will be knockers. However, I was a bit surprised about one contrarian, the normally interesting and challenging Richard Bejtlich. Richard writes: As far as the nature of the list… Read More

The SANS Top 20 2006 update has been posted. SANS Top 20 2006 I helped write the C1 Web App Sec section: C1. Web Applications We’re working on the updated OWASP Top 10 2007 which interlinks with that. It’s an interesting experience writing something like this for a completely different audience than web developers. As… Read More