OWASP AppSec EU 2017 Presentation

Here are the slides for my presentation at OWASP AppSec EU this year: The Flaws in Hordes, the Security in Crowds. It’s an exploration of data from bug bounty programs and pen tests that offers ways to evaluate when a vuln discovery strategy is efficient or cost-effective. OWASP records the sessions. I’ll post an update once …

OWASP/ISSA Bletchley Park 2012, Graveyards & Zombies

The May 10th OWASP/ISSA meeting at Bletchley Park was a chance to discuss web security, but the bigger draw was visiting the home of British code-breaking during WWII. It was astonishing to realize how run down the buildings had become. The site’s long-held secrecy ensured disrepair and inattention that is still being remedied. Never the …

Ignore the OWASP Top 10 in Favor of Mike’s Top 10

Code will always have flaws. Lists will always be in tens. Appsec will always be necessary. Hopefully, it will sometimes be effective. But let’s get back to the OWASP Top 10. This post’s title implies there’s some compelling reason to ignore it. It’s helpful for nomenclature and an introduction to web security, but it shouldn’t be misinterpreted …

30% of the 2010 OWASP Top 10 not common, only 1 not hard to detect

 One curious point about the new 2010 OWASP Top 10 Application Security Risks is that 30% of them aren’t even common. The “Weakness Prevalence” for each of Insecure Cryptographic Storage (A7), Failure to Restrict URL Access (A8), and Unvalidated Redirects and Forwards (A10) is rated uncommon. That doesn’t mean that an uncommon risk can’t be a critical …