Archive for November, 2007

2007 Security Testing tools in review

In my last post, I explored some ways of using formal method tools to perform security testing in the most advanced scenarios. It may have been over the heads of many people, so I wanted to offset that by talking to some basic tools which I think anyone can utilize effectively assuming they bring […]

Formal Methods and Security

Most information security practices, whether system, network, application, software, or data — come from original sources such as the Orange Book. Most people assume that the Orange Book is no longer valid for use in security today. If we had built systems around the Orange Book concepts — then why are we so […]

Contributing towards a solution

Roger Halbheer, Chief Security Advisor for Microsoft Europe, Middle East, and Africa posted a comment last week in response to my post on “Operating Systems are only as secure as the idiot using it.” Roger is looking for some open discussion on improving the security usability problem, instead of sitting back and complaining about it.
I […]

Blacklisting, XSS filter evasion and other resources

So the other day I was doing a web site review and looking for XSS issues. I came across one ASP form that used various URL parameters to make up parts of the form. Well, I poked around and and tried injecting the usual, <script>alert(’xss’)</script>. The page went straight to a 404 Not Found, so […]

Roothack revival — and TSSCI is participating!

Epic and the gang over at roothack.org have revived the old but popular and fun wargames in a new style. The old games used to be 72-hour team-based games but are now level-based Capture the Flag (CTF) along the same vein as the PullThePlug games. If PTP was too hard for you or you’re just […]