« CGISecurity.com Turns 10!: A short appsec history of the last decade | Main | Twitter XSS worm »

CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years

To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of.


The Cross-site Scripting FAQ (2001)
In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response (XSS). At the time only 2-3 papers existed (including cert's) and I was compelled to learn more about this newer attack. After some investigation into XSS I decided to write  The Cross-site Scripting FAQ in late 2001. Now I admit it hasn't been updated in 8 years (I'm planning on refreshing it sometime soon actually), however the advice still holds true even as one of the first articles on the subject.


Attacking Permalinks (2006)
In 2006 I wrote an entry on a method for attacking permalinks. Years later (2008) this method was further explored/detailed and coined HTTP Parameter Pollution (HPP) by others in the industry.


The lack of security enabled frameworks is why we're vulnerable  (2006)
People made the arguement that developers should just know how to avoid introducing security defects into their code. I wrote an entry in 2006 arguing that when possible certain types of security checking/controls should be at the framework level and solved unbeknownst to the average developer.


Challenges faced by automated web application security assessment tools (2006)
After working for SPI Dynamics for just shy of 4 years I had switched jobs which allowed me to discuss some of the limitations and challenges of automated security assessment tools. A month after leaving SPI (which was one of the best gigs I've had) I released an article detailing the technical challenges faced by automated blackbox security scanning tools.


Browser Security: I Want A Website Active Content Policy File Standard! (2007)
After having been in the appsec space for some time I was annoyed that the core foundations of browsers lacked the ability for me to communicate intent for how things should execute on my domain. I wrote a rant on the need for a site security policy, many aspects which are being included years later into mozilla's excellent content security policy project.


The Cross-site Request Forgery FAQ (2007)
In 2006 CSRF was still a not very well documented attack method/weakness and I found that at the time not many documents articulated the issue very well. Being the arrogant bugger that I am I decided that CSRF would make for a great topic for a new FAQ. In early 2007 I released the first version of the CSRF FAQ (which has been updated many times since, including things I failed to include the first release) which is updated whenever something of interest/importance comes out.


A Software Call To Arms: Where are source control repository security scanning tools? (2007)
Having worked in the software security industry as both as user, and a vendor I found that a big issue with the security scanning tools was that developers still had the ability to check in code with problems. I wrote a rant on why this will continue and discussed the option of sticking some sort of scanning component within the source repository system itself.


My current stance on Web Application Firewalls (2008)
Application firewalls have been around for around a decade now, and people still have a hard time identifying which situations they are good for. In 2008 I wrote an entry on real world uses for WAF that are only in the last year starting to become more popular.


Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud (2008)
CSRF has been known within appsec circles for the last several years, however little research was performed on ways to monetize CSRF. In 2008 after doing some research I wrote an entry on using CSRF to cash in on affiliate networks. To this day many affiliate programs are still vulnerable to this problem.


The security industry needs to re-align its training expectations for QA (2009)
I have a problem with how *many* infosec folks handle training QA on security issues. Based on my own personal experiences I've wrote an entry on a more practical approach to making QA care about security issues.


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!