Thinking Security - Given that all software contains bugs, and that we cannot certify software as safe with any measure of certainty, what is the information security community to do?
If a Vulnerability Falls in the Forest - If a vulnerability is discovered that is only exploitable via implementation, should the implementation or the base API be patched?
How I (Ideally) Approach Work on a PHP Application - The first, and in my opinion, most important step in approaching a new PHP project is to identify the goals and business rules of a project. This means understanding the purpose of the application as well as the real world system that it will be mimickin
Software Security and Testing - In fact, the field of security could learn quite a bit from software testing methods and philosophy.
Drupal 5 to 6 Upgrade - Drupal supports two versions at any given time (a major and a minor).
Where is the Documentation? - In the simplified software engineering process model there are 10 phases. These are: problem, requirements engineering, requirements specification, design, technical specification, implementation, coding, testing, system integration/deployment, and main
The Extra Nine Times - In his book 'The Mythical Man Month' Fred Brooks asserts that it takes nine times more effort to produce a consumable software system than it does to produce a program for internal use.
Customers Need to Know Process Models - Organizations take someone who is at the top of their technical game and suddenly switch them into a whole different role that they often times have to learn from scratch.
User Insecurity and Open Source Projects - Who should be responsible for protecting users from themselves? Should the Drupal core code base prevent such situations from even being possible? It's arguable that they should.
Drupal Content Access Module XSS Fun - Asking me about computer security and privacy is probably a lot like asking a law enforcement agent about home security - you're going to get an answer colored by experience.
Is Drupal Ready for the Enterprise? - Although Drupal has many of the trappings of an enterprise level CMS such as dedicated development and security teams, commercial backing from companies like Acquia and others, it may not be fully ready for the enterprise.
Full Disclosure Policy - It has occurred to me, though my latest spate with the Drupal security team, that I need to clearly define my beliefs in full-disclosure so that there can be no misunderstanding as to my motivations.
Envisioning Perspective - In order to properly assess the security posture of any organization it is essential to first make sure you can accurately gauge the landscape.
Educause Security 2009 - It's interesting to see a security conference so heavily focused on privacy, but identity theft is the intersection of privacy and security.
Drupal Security Team Ignores Multiple XSS Vulnerabilities - The Drupal security team's rather disappointing advice to rectify this situation was not to fix the vulnerabilities in the module code in question, but rather to limit the scope of users granted 'administer content types' privileges.
Web Application Security - In the latest Silver Bullet podcast Gary McGraw makes mention of the fact that he feels that web application security is attracting too much attention these days
Developing Security with Metrics - It is a professional hazard in security to become stuck in a reactive stance, always running to put out the latest fire.
Pen Tests are Bullshit - Recently I've spotted an increasingly tractable argument against pen testing emerging in the computer security industry.
Responsible Disclosure? - To insist that security professionals always follow doesn't help anyone, it rewards vendor bad behavior and hurts other customers.
The Economy and Information Security - The internet security blog Security Aegis has just published an article, distilled out of interviews with some industry professionals, concerning the state of information security and the economy.
Full Disclosure - There has been a lot of debate over the years about full disclosure.
Is Security Certification Worth it? - At some point in every security professionals career they look at certification and begin to weigh their value.
Password Protection - Single factor authentication (passwords) is the most common authentication method in use for computer access.
DNS Debacle - Most people are probably blissfully unaware, but security researcher Dan Kaminsky discovered a very serious flaw in DNS.
MediaDefender DDOS of Revision3 - There's a very interesting write up of the recent denial of service attack against Revision3 on the company's blog.
The New Threats in Computer Security - One of the trends that seemed to come up over and over again was the changing landscape of computer security. There seems to have been two major sea changes in information security over the last couple of years.
Here's a Vexing Question - There have been many studies on why phishing attacks are such a problem.
Links - Long, long ago, people used to publish links to their favorite websites on their own homepages.
On Multiple Single Factor Authentication - Two factor authentication is fast becoming an industry standard for high value applications. Unfortunately a lot of misunderstanding surrounds two factor authentication, and thus, the implementation is often less than ideal.
Asshole Hackers - In any case, these assholes are basically trying to break into my server by exploiting a vulnerability I'm responsible for fixing.
Long Time... or Taxonomies in CMS'es - When developing content management systems it is important to provide an abstract enough framework to allow users to customize their presentation to their tastes.
Irish Hot Teens - While it's still early for St. Patrick's Day I thought I'd point out an interesting tidbit I noticed from my server logs recently.
Damn DST (*yawn*) - Ok, so it's the day for the new daylight savings time (DST to those in the know).
Open Document Formats for All - Using the open document formats ensures that no matter what changes happen to your word processing program, your data will never get locked away in a proprietary format.
Adios Windows - So I finally kicked Windows to the curb at home yesterday.
Relational Filesystems - I’m working on an online document storage application. In a nutshell, documents can be uploaded into a database and classified for sharing with other users. It’s a fairly straightforward use of a web based database application, but it got me thinking.
Skin Deep is Good Sometimes - Many Linux companies produce two versions of their distribution - the free version, and the commercial version.