Web application security scanners have not matured much. I guess patent wars and company-buyouts have caused a lot of stagnation over the past year. However, I think the problems may run deeper than just controversy and industry drama.
AppScan DE and DevInspect as exceptions — largely the web application security scanner industry is filled […]

An audit framework for evaluating structured security program frameworks
How many readers implemented a new security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were involved?
Possible frameworks (Criteria)

No structured security program, or one based around a single vendor or regulation
Mike Rothman’s Pragmatic CSO (P-CSO)
Gunnar Peterson’s […]

Pen-testing is an art, not a science
Penetration-testing is the art of finding vulnerabilities in software. But what kind of an “art” is it? Is there any science to it? Is pen-testing the “only” way or the “best” way to find vulnerabilities in software?
When I took my first fine arts class, we learned […]

In my earlier article on Using Google Analytics to Subvert Privacy, I demonstrated how dangerous free tools could be to match privacy information to web clicks.
But now that Google has updated their Analytics service to support internal search queries, you can now link user privacy information to search data, as well. Now everyone can […]

Recently, we’ve heard a lot of talk about P2P apps and data leakage concerning various members of Congress. It started with this article over at NetworkWorld, followed up by the guys at nCircle, directing criticism towards Congree from Techdirt, comments from LonerVamp, and lately a rambling from Alan Shimel on how NAC will solve the […]