do… Web Application Development and Security

Archive for January, 2008

CapSec January 2008

Thursday, January 31st, 2008

After work today I walked to The Brickskeller and enjoyed a couple beers with a few of the CapSec group including Doug Wilson.

One thing we discussed was that with tech groups formed around common interests, like web development, linux, or security, it’s very easy for people to stick with what and who they know. But in security, work roles tend to be multidisciplinary. Security often is one of several hats to wear or is built upon another specialty such as networking or development. Because of this many security professionals have the perspective and the opportunity to cross-pollinate by participating in other groups where security isn’t the primary focus but is still relevant.

I think, the more people who act on that thought, the better for the community.

20 Hacker Tricks for Attacking Web Apps

Monday, January 21st, 2008

At the DC PHP Developers Group meeting on January 9th I had the pleasure of giving my very first talk to a tech group.

Since other people have given excellent talks focusing on a few top attack methods, I tried to give a broader survey to show some of the diversity of the hacking mindset. If this talk triggered some thoughts like, “It never occurred to me that hackers might try that”, then I met my goal.

My original slides were a little rough… to avoid shame and embarrassment I edited them a bit before posting them here for public consumption:

20 Hacker Tricks for Attacking Web Apps

I welcome any comments, especially if they will help improve the content or my performance. I’d like to give updated talks along the same line in the future. I’d also like to cover ways to harden web applications against hacking.