Just wanted to leave you all a quick note that we haven't forgotten how to blog :-) we've been busy over our heads with migrating things to IBM (called Blue-Washing around here), developing new version of AppScan (as always, we have to stay ahead of the pack), and researching new and interesting security vulnerabilities. In the meantime, here's a quick list of anecdotes to keep you busy -
- OWASP AppSec Europe 2008 is right around the corner. I strongly recommend attending this conference, as it looks like the agenda is packed with great presentations. The conference will take place in Ghent, Belgium, which means that good beer won't be a problem. If you haven't registered yet, I suggest you do so, and prepare to work hard in locating a hotel in the vicinity. Every single hotel is booked solid, and you might need to make some compromises. In addition, I am currently planned to be on the panel at the end of the first day ("The PCI 6.6 dogfight - to Scan or to WAF, this is the question") - I wouldn't miss a chance to voice my opinions
- Adobe Flash/Flex security- we have been researching Flex and Flash security a lot lately as a part of our continuous effort to stay ahead of the technology. RIA security is the next big thing, and the green pastures of security vulnerabilities are awaiting. Rest assured that readers of this blog will be the first to read about our research, and some of it will also be presented at the OWASP AppSec conference in NYC later this year
- IBM Rational Software Development Conference (RSDC) 2008 is coming up (June 1-5, 2008). This year's conference will host a full track on Application Security & Compliance (click to view agenda), and will include some great presentations in our field. I am also going to be there, and will give a session on Web 2.0 security (AS09). In addition, William Shatner is one of the keynote speakers - are you seriously going to miss Captain Kirk talking about software development?
- "Static code analysis is inherently doomed to fail" - at least that's what the author of this blog thinks. Well, I beg to differ, and for every reason mentioned in the above post, there's a reasonable solution or a workaround. In addition, I can't help but say - that's what happens when your scanner GREPs for security vulnerabilities ;-) ouch, don't take it personally...
- Cisco announces their own stab at building a web application firewall (WAF). I guess PCI 6.6. is kicking in :-) oh AppShield, where art thou? seriously now, I'm hearing and reading about WAFs everyday and in every blog - that's simply awesome to see that this market is finally picking up
- Charles is my new best friend. I'm not sure if I've mentioned it before in this blog, but this HTTP Proxy simply kicks ass (and it supports AMF message tampering for those pesky Flash remoting apps). Next to firebug (and of course AppScan), this is probably one of the best tools to have in your arsenal. Check it out
- Off topic - I just finished reading a book called "The Volunteer: The Incredible True Story of an Israeli Spy on the Trail of International Terrorists", while I'm not sure how "true" this story is, I did enjoy the espionage parts of it. I strongly recommend it.
That's all for now, and don't forget -