Sunday, January 31, 2010

Bad Web Application

So this week I spent time playing around with vulnerable web applications from OWASP and Foundstone. Now I will admit that I only played with these applications for a couple of hours, but it got me thinking how to use these tools in my job. These tools are great for teaching how to perform web application penetration testing, but seem to lack a way to fix identified issues.

One responsibility I have is to work with my development team to write better code. Not being a developer by trade and hoping to make it interesting for them, I want to take the bad web app idea a step further. I want the developers to write code to fix my bad application, Ok I am going to write code to fix it but I want to teach them to write the code as well.

The first application is bad online banking system based on Linux, Apache, MySQL and PHP. I hope to have it completed in the next two months or so. I hope the application will be filled with injection flaws, cross site scripting issues, broken authentication and session management issues. These are the top 3 from OWASP Top 10 – 2010. Once I have the application “tested” I will post it online for others to use and learn from.

Saturday, January 23, 2010


Welcome to the my new blog. I will discuss the many aspects of my life as a computer security professional.

This is my start to give back to the security community. My goal is to blog once a week about my thoughts, what I am working on, what I want to work on, tools, training, books, and techniques as a "security lifer"!
Site Meter