In my most recent post, I identified the direction and state-of-the-art in application security. We all know of the importance of application security in today’s environments. However, finding out where to fit application security policies and programs into an overall security program (or organizational security plan) is as difficult (or more difficult) than integrating mandatory [...]

This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service, the WSDL and also [...]

Today I ran into a little setback for an issue I did not foresee. For the past several months, I’ve been on a PCI remediation project, of which one of my tasks was to implement a web application firewall to address PCI requirement 6.6. Now, for everyone out there who has been following [...]

Yesterday we celebrated tssci-security.com’s two-year anniversary. I started this site on August 23rd, 2006 during my first internship, and oh my, how the time flew by. A lot of good things have come my way — most as a direct result of this blog. The connections and many good times I’ve had [...]

We’ve been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show that we are not 100% [...]