Blog Index
All posts have been edited and updated from their original versions. I like to revisit them over time to update their style for readability and to fix any dead links.
If you’re interested in episodes from the Application Security Weekly podcast, check out the episode list.
- Apr 4, 2025 • Recap of the Application Security Weekly podcast episodes from March 2025
- Mar 18, 2025 • Celebrating path traversal and a new Go API
- Mar 17, 2025 • Emphasizing the eradication of vuln classes via secure design
- Mar 10, 2025 • Recap of the Application Security Weekly podcast episodes on CFPs and presentations
- Mar 7, 2025 • Recap of the Application Security Weekly podcast episodes from February 2025
- Feb 7, 2025 • Recap of the Application Security Weekly podcast episodes from January 2025
- Feb 3, 2025 • Satirizing a misguided focus on phishing labels
- Jan 27, 2025 • Wishful thoughts as a commentary on LLMs
- Jan 5, 2025 • Recap of the Application Security Weekly podcast episodes from December 2024
- Dec 6, 2024 • Recap of the Application Security Weekly podcast episodes from November 2024
- Nov 14, 2024 • Recap of the Application Security Weekly podcast episodes on AI & LLMs
- Nov 1, 2024 • Recap of the Application Security Weekly podcast episodes from October 2024
- Oct 4, 2024 • Recap of the Application Security Weekly podcast episodes from September 2024
- Sep 6, 2024 • Recap of the Application Security Weekly podcast episodes from August 2024
- Aug 2, 2024 • Recap of the Application Security Weekly podcast episodes from July 2024
- Jul 5, 2024 • Recap of the Application Security Weekly podcast episodes from June 2024
- Jun 7, 2024 • Recap of the Application Security Weekly podcast episodes from May 2024
- May 3, 2024 • Recap of the Application Security Weekly podcast episodes from April 2024
- Apr 5, 2024 • Recap of the Application Security Weekly podcast episodes from March 2024
- Mar 1, 2024 • Recap of the Application Security Weekly podcast episodes from February 2024
- Feb 2, 2024 • Recap of the Application Security Weekly podcast episodes from January 2024
- Jan 5, 2024 • Recap of the Application Security Weekly podcast episodes from December 2023
- Dec 1, 2023 • Recap of the Application Security Weekly podcast episodes from November 2023
- Nov 3, 2023 • Recap of the Application Security Weekly podcast episodes from October 2023
- Oct 20, 2023 • Trade-offs in dealing with every known vuln or just doing regular version maintenance
- Oct 4, 2023 • Recap of the Application Security Weekly podcast episodes from September 2023
- Sep 1, 2023 • Recap of the Application Security Weekly podcast episodes from August 2023
- Mar 30, 2023 • Why the OWASP Top 10 list no longer drives effective appsec
- Mar 20, 2023 • 25 years of curl -- one of the most impactful open source projects
- Feb 3, 2023 • Notes for conducting prep calls for the podcast
- Dec 15, 2022 • Appsec and DevOps concepts expressed as haikus
- Oct 19, 2018 • Building Effective DevSecOps Teams Through Role-Playing Games
- Oct 13, 2018 • DevOps Is Automation, DevSecOps Is People
- Oct 4, 2018 • Collaborating with developers to prioritize fixing flaws
- Jun 6, 2018 • Proactive steps for effective breach postmortems
- Apr 20, 2018 • Noting the 2018 OURSA pop-up conference
- Jan 30, 2018 • OWASP Cali 2018 'DevOps Is Automation, DevSecOps Is People'
- Jan 14, 2018 • Celebrating the 4th edition of Anti-Hacker Tool Kit
- Jan 12, 2018 • Prioritizing patching based on risk, not severity
- Dec 26, 2017 • Deciding on strategies to address risk from vulns
- Dec 12, 2017 • Addressing the underlying causes of vulns
- Oct 26, 2017 • Adopting better long-term strategies to reducing flaws
- Oct 20, 2017 • Bug bounty programs, pentesting, and metrics
- Oct 1, 2017 • Avoiding analysis paralysis in threat modeling exercises
- Sep 29, 2017 • Metrics on pentesting
- Jul 24, 2017 • Cybersecurity tips to always follow for protecting your devices
- Jun 8, 2017 • Metrics on pentesting
- May 12, 2017 • Metrics around pentesting
- May 1, 2017 • Bug bounty presentation
- Apr 24, 2017 • Evaluating the risk associated with your apps
- Apr 10, 2017 • Visualizing the volume and risk of vulns
- Mar 30, 2017 • What PCI teaches us about handling sensitive data
- Mar 20, 2017 • Software engineering that leads to effective security
- Mar 7, 2017 • Finding ways to make security a natural part of the SDLC
- Nov 15, 2016 • Reducing the mistakes that lead to software flaws
- Nov 11, 2016 • Metrics on code security
- Oct 25, 2016 • Bug bounty presentation
- May 31, 2016 • A non-technical overview of why HTTPS is so important for the web
- May 3, 2016 • Let's encrypt and the security benefits from DevOps
- Mar 18, 2016 • Secure code and the planet of the apes
- Feb 12, 2016 • Appsec versions of the quote about technology being indistinguishable from magic
- Oct 19, 2015 • Metrics on code security
- Sep 9, 2014 • XSS example
- Jul 30, 2014 • Building and Breaking Privacy Barriers
- May 10, 2014 • Heartbleed detection tool and demonstration in C++
- Feb 28, 2014 • CSRF and appsec
- Jan 6, 2014 • Cybersecurity tips to keep your accounts and systems safe
- Dec 27, 2013 • The web -- it's made of people!
- Dec 3, 2013 • XSS payloads to take advantage of the presence of jQuery
- Oct 21, 2013 • An XSS vector via quirks of PHP integers
- Sep 25, 2013 • HTML injection through URL paths
- Sep 20, 2013 • HTML5 security
- Aug 27, 2013 • Code reuse for XSS attacks
- Aug 20, 2013 • Finding secrets in GitHub repos
- Aug 8, 2013 • Ideas on CSRF countermeasures
- Aug 5, 2013 • Dissecting CSRF Attacks & Countermeasures
- Jul 1, 2013 • Finished writing The Anti-Hacker Tool Kit
- Jun 24, 2013 • Crafting an XSS payload across two input parameters
- Jun 18, 2013 • XSS that takes advantage of JavaScript syntax quirks
- Jun 14, 2013 • Finding XSS in hidden input fields
- Jun 5, 2013 • Crafting XSS payloads with valid, but strange, JavaScript syntax
- May 31, 2013 • HTML5 security
- Mar 28, 2013 • XSS through localization
- Mar 21, 2013 • Example of persistent XSS
- Mar 14, 2013 • Insecure browser plugins
- Mar 8, 2013 • WebSockets security
- Mar 5, 2013 • Historically harsh punishment for security lapses
- Feb 26, 2013 • HTML5 security
- Feb 5, 2013 • XSS payloads that take advantage of entity encoding
- Jan 23, 2013 • Cross-site scripting example inside a JavaScript variable
- Jan 21, 2013 • Explanation of CSRF flaws
- Jan 14, 2013 • Bypass a regex that tried to block XSS
- Dec 26, 2012 • Time of check, time of use vulns in web apps
- Dec 8, 2012 • WebSocket security
- Dec 5, 2012 • HTML injection quick reference for creating XSS payloads
- Oct 11, 2012 • HTML5 security
- Oct 2, 2012 • Normalizing data before validating it
- Sep 21, 2012 • Cross-site scripting (XSS) on amazon.com via a book's PDF preview
- Aug 27, 2012 • Password security
- Jun 7, 2012 • Random passwords from the 2012 LinkedIn breach
- Jun 5, 2012 • Flaws that stem from design and implementation mistakes
- May 31, 2012 • HTML5 security
- May 28, 2012 • HTML5 security
- May 25, 2012 • HTML5 security
- May 23, 2012 • HTML5 security
- May 22, 2012 • Presentation on security and privacy expections with HTML5
- May 21, 2012 • Appsec and HTML5
- Mar 6, 2012 • Unicode, UTF-8, and character encoding implications for appsec
- Jan 27, 2012 • Parsing .NET ViewState
- Nov 16, 2011 • An appsec list inspired by RFC 1925
- Oct 12, 2011 • Presentation on HTML5 for RSA Europe 2011
- Jun 16, 2011 • Advanced vs. sophisticated appsec threats
- Jun 1, 2011 • A brief note on confusion and diffusion
- May 25, 2011 • Technical aspects of implementing a parser for ViewState objects
- May 13, 2011 • A technical look at reverse engineering ViewState.
- Apr 26, 2011 • Explaining cross-site request forgery (CSRF) vulns
- Apr 14, 2011 • The advanced persistent ignorance that leads to SQL injection flaws.
- Dec 11, 2010 • Appsec ideas from sci-fi books
- Dec 11, 2010 • Cybercrime imagined in 1986 by Stanisław Lem
- Jun 15, 2010 • Avoiding subtle flaws in regex-based security filters
- May 18, 2010 • Cross-site tracing (XST) takes advantage of how a web server reflects a client's HTTP message in a respose to a TRACE request
- May 8, 2010 • The day of the triffids
- May 7, 2010 • Finding an XSS vuln vs. finding an exploit, and how such vulns should be prioritized
- Apr 22, 2010 • Observations on the 2010 OWASP Top 10
- Mar 10, 2010 • Considering how appsec might change with new features
- Feb 19, 2010 • One of the earliest examples of XSS
- Feb 17, 2010 • Password security lessons from the movie Aliens
- Jan 4, 2010 • One of the earliest examples of XSS against web-based email
- Jul 30, 2008 • Finding flaws in web apps