Hi everyone. In case you missed my talk at Black Hat , “REST for the Wicked”, I wanted to give you the Cliffs Notes version here. This will be a two-part post; the first will deal with attack techniques and the second will describe appropriate design...

StickyMinds.com has just posted an article of mine on the dangers of XSS . (Although they still have my old bio from when I worked at HP, I'll have to get that changed!)

In light of the recent wake of SQL injection attacks on ASP sites, I'd like to highlight some relevant resources for learning about and responding to the threat. Bala Neerumalla has written a detailed document for preventing SQL injection in ASP (that...

There's been a lot of renewed interest in web application firewalls lately. In the past, I haven't been a huge fan of WAFs - they always seemed to me to be just a band-aid stuck on the sucking chest wound of insecure code. But I bumped into Jeremiah Grossman...

Ok, maybe “destroy the internet” is a little harsh. But let’s take a look the impact that implementation of the current W3C working draft for cross domain access would have on browser security. Some people might argue that there’s no more risk from cross...

If you haven't heard yet, BlueHat v7 is dedicating the entire block of morning sessions to web app security issues. I'll be there, talking about my first 30 days as the new web app sec guy on the SDL team. Hope to see you there!