tssci security

Archive for June, 2008

Week of War on WAF's: Day 5 -- Final thoughts

Did we learn anything about web application firewall technology this week? I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don't know why. Organizations everywhere think [...]

Week of War on WAF's: Day 4 -- Closer to the code

[Andre and Marcin]: For today's post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security [...]

Week of War on WAF's: Day 3 -- Language specific

This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang: [...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that [...]

Week of War on WAF's: Day 2 -- A look at the past

Web application experts have been asking WAF vendors the same questions for years with no resolution. It's not about religion for many security professionals -- it's about having a product that works as advertised. My frustration is not unique. I am not [...]

Week of War on WAF's: Day 1 -- Top ten reasons to wait on WAF's

Hello, and welcome to the Week of War on WAF's, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application [...]

Web application firewalls: A slight change of heart

We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]

R.I.P. CISSP

We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached [...]

Virtualization is a process, not a product

I see that the BlackHat Blogger's Network has a topic of interest. I'll oblige, especially since The Hoff is involved. I think it's a good exercise, so I'll have to thank Shimel for this idea. You also won't want to miss what I've said about [...]

nmaparse.py -- Parsing grepable Nmap output to insert into MySQL

Last week, Richard Bejtlich reviewed "Nmap in the Enterprise," and for the most part, was largely disappointed with it's lack of enterprise context. My last script, tissynbe.py, parsed Nessus results in nbe format and inserted them into a MySQL database. [...]

Accountability through connected frameworks

Apparently Laura Chappell and Mark Curphey were presenting at the Microsoft TecEd 2008 Security Track last week. I haven't heard too much about what happened as a result, and I really wish I was there to see them speak about their respective topics. For [...]

What web application security really is

I wanted to do a post about "what web application security really is" because plenty of people out there don't get it. They understand that "security attacks are moving from hosts to the Web", but they have no idea what that means. To most people, web [...]
blog comments powered by Disqus