« My experience coleading purple team | Main

20 years of CGISecurity: What appsec looked like in the year 2000

Just realized that 20 years have passed since I started this site to learn more about web security threats.


What 'appsec' looked like in 2000

  • OWASP didn't exist yet, nor did WASC
  • Vulnerability disclosure was the wild west. It would be another year until Rain forest puppy (RFP) (that guy who discovered sqli) created the first attempt at vuln disclosure.
  • Nobody even had the concept of a bug bounty. Most of us were scared we'd go to jail (myself included) for reporting vulns.
  • There were no real web scanners (DAST) back then. The only one I was aware of was written by Bronc Buster
  • Static analysis tools like Fortify didn't exist.
  • The term blog wasn't used. Hence, I first called this a 'news site' :)
  • Nobody really used the term appsec, or application security.
  • XSS only had 1-2 papers written about it. My XSS FAQ was #3 or #4. EVERY site was vulnerable on basically every page :)
  • The appsec community didn't really exist. In fact you'd get shit on if you weren't working on innovative memory corruption style issues back then. Things didn't warm up in this regard till probably 2004.
  • Social networking didn't exist. There was no security community on facebook/twitter/myspace/livejournal because they didn't yet exist. Livejournal was founded in 99 but nobody knew about it until a little later.
  • Most of the internet was on HTTP.
  • Google hacking back then, was referred to as altavista hacking (which is how I learned about it) because nobody used google. Later others substituted what was in this paper on google and the rest is history.
  • People didn't name every vuln a buzzword.
  • Colleges at the time didn't really have degrees in infosec. I think Carnegie Mellon may have been the first?
  • A lot of the internet still ran perl, and a lot of old school perl attacks still worked.
  • A lot of famous hackers (which I shall not name here) belonged to questionable underground groups. Many of these people later created companies and products probably installed on your phone, or corporate environment.
  • A lot of the 'appsec heavy weights' didn't know jack shit, and we were all experimenting and publishing papers and tools to share and learn from each other.
  • Companies didn't hire appsec people. I remember an early interview at amazon around 2002 for an appsec role, and all they asked me was nmap flag questions and netsec focused stuff. Nobody really understood what appsec was back then.
  • Web application firewalls didn't exist as a concept.
  • IRC, particularly efnet and dalnet were where us haxors hung out. That and email lists like bugtraq.
  • I was a total n00b which I won't deny. Security is a learning process and if you think you know it all then you're either new, or your ideas will turn stale.



Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Post a comment

Remember personal info?