« My experience coleading purple team | Main

20 years of CGISecurity: What appsec looked like in the year 2000

Just realized that 20 years have passed since I started this site to learn more about web security threats.


What 'appsec' looked like in 2000

  • OWASP didn't exist yet, nor did WASC
  • Vulnerability disclosure was the wild west.  Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first attempt at vuln disclosure.
  • Nobody even had the concept of a bug bounty. Most of us were scared we'd go to jail (myself included) for reporting vulns.
  • There were no real web scanners (DAST) back then. The only one I was aware of was written by Bronc Buster
  • Static analysis tools like Fortify didn't exist.
  • The term blog wasn't used. Hence, I first called this a 'news site' :)
  • Nobody really used the term appsec, or application security.
  • XSS only had 1-2 papers written about it. My XSS FAQ was #3 or #4. EVERY site was vulnerable on basically every page :)
  • The appsec community didn't really exist. In fact you'd get shit on if you weren't working on innovative memory corruption style issues back then. Things didn't warm up in this regard till probably 2004.
  • Social networking didn't exist. There was no security community on facebook/twitter/myspace/livejournal because they didn't yet exist. Livejournal was founded in 99 but nobody knew about it until a little later.
  • Most of the internet was on HTTP.
  • Google hacking back then, was referred to as altavista hacking (which is how I learned about it) because nobody used google. Later others substituted what was in this paper on google and the rest is history.
  • People didn't name every vuln a buzzword.
  • Colleges at the time didn't really have degrees in infosec. I think Carnegie Mellon may have been the first?
  • A lot of the internet still ran perl, and a lot of old school perl attacks still worked.
  • A lot of famous hackers (which I shall not name here) belonged to questionable underground groups. Many of these people later created companies and products probably installed on your phone, or corporate environment.
  • A lot of the 'appsec heavy weights' didn't know jack shit, and we were all experimenting and publishing papers and tools to share and learn from each other.
  • Companies didn't hire appsec people. I remember an early interview at amazon around 2002 for an appsec role, and all they asked me was nmap flag questions and netsec focused stuff. Nobody really understood what appsec was back then.
  • Web application firewalls didn't exist as a concept.
  • IRC, particularly efnet and dalnet were where us haxors hung out. That and email lists like bugtraq.
  • I was a total n00b which I won't deny. Security is a learning process and if you think you know it all then you're either new, or your ideas will turn stale.



Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

- First bug bounty was in 1995 by Netscape, and another shortly after, but it certainly wasn't a well-known concept. But there was one commercial vulnerability database before 2000 as well, which most didn't know about.
- Wait.. Usenet wasn't a social network?!
- By 2000 there were still a considerable number of sites still on FTP or if they had a web page, it was a token static info page and didn't replace other services they offered. Hell, we still used 'finger' to get info from some servers well after 2000!

- Whoa, 1995? Got any details on this?
- Usenet a social network lol

Yep, here’s the archive.org of the Netscape “Bugs Bounty” page from October 10, 1995: https://web.archive.org/web/19970501041756/http://www101.netscape.com/newsref/pr/newsrelease48.html

I’ve interviewed a few of the folks involved in it - Crazy foresight wrt vulnerability economics and where things were headed (and yeh, no one really knew about it until Google and PayPal started making noise in the late 2000s).

I was one of the creators of Paypal's bug bounty and when I did the research I spoke with mozilla, google, and maybe facebook as the third? Nobody else I could speak with at the time.

Post a comment

Remember personal info?