Here are the slides for my presentation at OWASP AppSec EU this year: The Flaws in Hordes, the Security in Crowds. It’s an exploration of data from bug bounty programs and pen tests that offers ways to evaluate when a vuln discovery strategy is efficient or cost-effective. OWASP records the sessions. I’ll post an update once …
Tag Archives: owasp
OWASP/ISSA Bletchley Park 2012, Graveyards & Zombies
The May 10th OWASP/ISSA meeting at Bletchley Park was a chance to discuss web security, but the bigger draw was visiting the home of British code-breaking during WWII. It was astonishing to realize how run down the buildings had become. The site’s long-held secrecy ensured disrepair and inattention that is still being remedied. Never the …
Continue reading “OWASP/ISSA Bletchley Park 2012, Graveyards & Zombies”
Ignore the OWASP Top 10 in Favor of Mike’s Top 10
Code will always have flaws. Lists will always be in tens. Appsec will always be necessary. Hopefully, it will sometimes be effective. But let’s get back to the OWASP Top 10. This post’s title implies there’s some compelling reason to ignore it. It’s helpful for nomenclature and an introduction to web security, but it shouldn’t be misinterpreted …
Continue reading “Ignore the OWASP Top 10 in Favor of Mike’s Top 10”
30% of the 2010 OWASP Top 10 not common, only 1 not hard to detect
One curious point about the new 2010 OWASP Top 10 Application Security Risks is that 30% of them aren’t even common. The “Weakness Prevalence” for each of Insecure Cryptographic Storage (A7), Failure to Restrict URL Access (A8), and Unvalidated Redirects and Forwards (A10) is rated uncommon. That doesn’t mean that an uncommon risk can’t be a critical …
Continue reading “30% of the 2010 OWASP Top 10 not common, only 1 not hard to detect”
Article on the new OWASP Top 10
The Tech Herald has an article on the recently updated OWASP Top 10 Web Application Security Risks. The article discusses a little bit of the evolution of the Top 10 list and how one major vulnerability, logic flaws, tends to get hidden behind the noise of SQL injection and XSS. You can find out more …