IBM Application Security Insider

There a few things that I'd like to write about, but each of them is currently a bit short, so I have decided to cram them all into a single post that will summarize everything.

1. IBM Acquires Watchfire - most of the people I know already read about this (I got plenty of personal emails about it), and I should probably dedicate a large post to this subject one day, but I really don't have anything to say about this at the moment, other than saying that I believe this is a smart move for both companies, and hopefully for the entire web application security market.
   
2. Positive Security - I have just read an interesting article over at "The Register", which sort of talks on what I have written about in my post "Playing in the Sandbox" a couple of weeks ago. According to the article, It seems that Anti-Virus vendors are planning on replacing the old (and notorious) blacklisting technique with whitelisting (aka Positive Security Model). I can't stress how important this move is to the security industry. Actually, I would love to see more Positive Security based products in the Web Application Firewall market as well. I wanted to write a full post on this subject, but this will have to wait.
   
3. Myth Busting - a few days ago, I read a cool blog post over at Dargos Lungu, where Dragos did a short research called "Top 10 Open Source Forums" ("Top 10" being "The Top 10 Most Secure...") - according to the original research, BBPress and Beehive both won, with 0 (that's a zero people!) publicly known vulnerabilities in the past 12 months. Well, originally I was intrigued by the post, because I myself was looking for a secure web platform to install internally here at Watchfire - but then, my evil alter-ego took over, and me being me, I just had to validate with my own two eyes (and AppScan as my sidekick), that there are actually PHP forum applications out there, that are secure. To make a short story even shorter, it took about 5 minutes to locate the first XSS vulnerability in BBPress, and another 15 minutes to locate 3 XSS vulnerabilities in Beehive (check out Dragos' cool post on the subject).
   
4. AppScan eXtensions Challenge - for those of you who are not aware of this yet, AppScan 7.5 includes an extensions framework (AXF), which enables users to download and install all sorts of cool add-ons. In order to get people started with writing their own extensions, Watchfire recently announced an eXtension writing challenge. If you want to experiment with writing an eXtension, this is your chance, and as an incentive, we'll give away an XBOX 360 for the winning eXtension.
   
5. This one is a bit old , but have you seen the interview with Rain Forest Puppy?

That's it for now.