Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I admit I didn't know what I was doing, and looked at this site as an excuse to learn more about/discuss web based threats. A lot has happened since I first started this site, here are a few things to put it into perspective.
- The vulnerability used by Code Red/Nimda hadn't yet been discovered
- The Java Struts framework was only a few months old
- The securityfocus webappsec list hadn't been created/renamed yet
- www.incidents.org hadn't been renamed to isc.sans.org yet
- Cross site scripting was less than a year old
- The term XSS was less than 6 months old
- You could still find vulnerable PHF machines (so I've been told 🙂
- Web Application Security was refereed to as 'CGI Security' hence why I picked this domain name.
- I was getting between 1-10 unique visitors a day compared to the 2,000-4,000 now.
- Web based worms were theoretical
- C# hadn't yet been renamed from "Cool"
- RFP's Responsible Disclosure Policy was a few months old
- XSS was lame (oh wait….)
The following security sites didn't exist
- http://jeremiahgrossman.blogspot.com
- http://ha.ckers.org
- http://www.securitybloggersnetwork.com
- http://www.darkreading.com
- http://www.milw0rm.com
- http://www.webappsec.org/
- http://www.owasp.org
- http://www.schneier.com/ (Bruce Schneier's blog)
The following security terms hadn't been published/coined/discovered yet
- CSRF/XSRF/Cross-site Request Forgery/Session Riding/One Click Attacks
- XST
- HTTP Request Smuggling
- HTTP Request Splitting
- HTTP Response Splitting
- HTTP Response Smuggling
- Session Fixation
- DOM XSS
- LDAP Injection
- Click Jacking
- Proxy Jacking
- Remote File Inclusion
- MX Injection
- XPath Injection
- XQuery Injection
- XML Injection
- Cyber snarfing (ok I just made that one up)
- Integer Overflows (from a vuln perspective)
- Heap Spraying
- Double Free
- Null Pointer Dereference (from a exploitability perspective)
- Zero Allocation Vulnerabilities
- Return Oriented Programming
- Props to Sensepost for making gathering this list easier.
The following browser technologies/terms didn't exist
- httpOnly
- EV-SSL
- X-FRAME-OPTIONS
- Iframe security attribute
- NoScript
- HTTP Strict Transport Security
- Webkit
- Google Chrome
- Firefox
- Tab isolation in browsers such as chrome didn't exist
The following tools/products/frameworks/technologies did not exist
- Modsecurity
- Burp Proxy
- Nikto
- Paros
- PaX
- Metasploit
- ASLR
- GRSecurity Kernel Patch
- Microsoft's .NET framework/ASP.NET
- SilverLight
- JavaFX
- Ruby on Rails
- Django
- Google Android
- Apple iPhone and iPod
- OWASP ESAPI
The following security processes/methodologies didn't exist
- Microsoft's Secure Development Lifecycle
- DREAD
- BSIMM
- STRIDE
The following security compliance standards didn't exist
The following security products/projects didn't exist
