Blog Index

All posts have been edited and updated from their original versions. I like to revisit them over time to update their style for readability and to fix any dead links.

If you're interested in episodes from the Application Security Weekly podcast, check out the show index.

ASW Recap for March 2025 Apr 4, 2025 • Recap of the Application Security Weekly podcast episodes from March 2025
Go to the os.Root of a Problem Mar 18, 2025 • Celebrating path traversal and a new Go API
From AI to XZ Utils: Spelling a New Future for AppSec Mar 17, 2025 • Emphasizing the eradication of vuln classes via secure design
Crafting CFPs, Delivering Presentations – An ASW Topic Recap Mar 10, 2025 • Recap of the Application Security Weekly podcast episodes on CFPs and presentations
The ASW February 2025 Recap Mar 7, 2025 • Recap of the Application Security Weekly podcast episodes from February 2025
The ASW January 2025 Recap Feb 7, 2025 • Recap of the Application Security Weekly podcast episodes from January 2025
So Much Phishing Feb 3, 2025 • Satirizing a misguided focus on phishing labels
Ideas for a Localized Lighting Model Jan 27, 2025 • Wishful thoughts as a commentary on LLMs
The ASW December 2024 Recap Jan 5, 2025 • Recap of the Application Security Weekly podcast episodes from December 2024
The ASW November 2024 Recap Dec 6, 2024 • Recap of the Application Security Weekly podcast episodes from November 2024
AI & LLMs – An ASW Topic Recap Nov 14, 2024 • Recap of the Application Security Weekly podcast episodes on AI & LLMs
The ASW October 2024 Recap Nov 1, 2024 • Recap of the Application Security Weekly podcast episodes from October 2024
The ASW September 2024 Recap Oct 4, 2024 • Recap of the Application Security Weekly podcast episodes from September 2024
The ASW August 2024 Recap Sep 6, 2024 • Recap of the Application Security Weekly podcast episodes from August 2024
The ASW July 2024 Recap Aug 2, 2024 • Recap of the Application Security Weekly podcast episodes from July 2024
The ASW June 2024 Recap Jul 5, 2024 • Recap of the Application Security Weekly podcast episodes from June 2024
The ASW May 2024 Recap Jun 7, 2024 • Recap of the Application Security Weekly podcast episodes from May 2024
The ASW April 2024 Recap May 3, 2024 • Recap of the Application Security Weekly podcast episodes from April 2024
The ASW March 2024 Recap Apr 5, 2024 • Recap of the Application Security Weekly podcast episodes from March 2024
The ASW February 2024 Recap Mar 1, 2024 • Recap of the Application Security Weekly podcast episodes from February 2024
The ASW January 2024 Recap Feb 2, 2024 • Recap of the Application Security Weekly podcast episodes from January 2024
The ASW December 2023 Recap Jan 5, 2024 • Recap of the Application Security Weekly podcast episodes from December 2023
The ASW November 2023 Recap Dec 1, 2023 • Recap of the Application Security Weekly podcast episodes from November 2023
The ASW October 2023 Recap Nov 3, 2023 • Recap of the Application Security Weekly podcast episodes from October 2023
Whether to Chase a Cycle of Dependency Vulns or Versions Oct 20, 2023 • Trade-offs in dealing with every known vuln or just doing regular version maintenance
The ASW September 2023 Recap Oct 4, 2023 • Recap of the Application Security Weekly podcast episodes from September 2023
The ASW August 2023 Recap Sep 1, 2023 • Recap of the Application Security Weekly podcast episodes from August 2023
Moving on from the OWASP Top 10 Mar 30, 2023 • Why the OWASP Top 10 list no longer drives effective appsec
Celebrating Curl's 25th Anniversary Mar 20, 2023 • 25 years of curl -- one of the most impactful open source projects
How I Conduct Podcast Prep Calls Feb 3, 2023 • Notes for conducting prep calls for the podcast
Some Appsec Haikus Dec 15, 2022 • Appsec and DevOps concepts expressed as haikus
DevSecCon London 2018 Presentation Oct 19, 2018 • Building Effective DevSecOps Teams Through Role-Playing Games
(ISC)2 Security Congress 2018 Presentation Oct 13, 2018 • DevOps Is Automation, DevSecOps Is People
Finding an Audience to Fix Flaws Oct 4, 2018 • Collaborating with developers to prioritize fixing flaws
Preparing for the Next Data Breach Jun 6, 2018 • Proactive steps for effective breach postmortems
OURSA, Their Presentations, and Your Follow-up Apr 20, 2018 • Noting the 2018 OURSA pop-up conference
OWASP AppSec Cali 2018 Presentation Jan 30, 2018 • OWASP Cali 2018 'DevOps Is Automation, DevSecOps Is People'
The Fourth Year of the Fourth Edition Jan 14, 2018 • Celebrating the 4th edition of Anti-Hacker Tool Kit
Crucial Timing for Critical Vulns Jan 12, 2018 • Prioritizing patching based on risk, not severity
Resolutions for a New Year of Vulns Dec 26, 2017 • Deciding on strategies to address risk from vulns
Secure Design Practices for Verifying Vuln Fixes Dec 12, 2017 • Addressing the underlying causes of vulns
Avoid BugOps, Do DevOps Oct 26, 2017 • Adopting better long-term strategies to reducing flaws
DevSecCon London 2017 Oct 20, 2017 • Bug bounty programs, pentesting, and metrics
Bikeshredding & Threat Models Oct 1, 2017 • Avoiding analysis paralysis in threat modeling exercises
ISC2 Security Congress, 4416 - GBU Slides Sep 29, 2017 • Metrics on pentesting
A Week of Security Should Last All Year Jul 24, 2017 • Cybersecurity tips to always follow for protecting your devices
RVAsec 2017: Managing Crowdsourced Security Testing Jun 8, 2017 • Metrics on pentesting
OWASP AppSec EU 2017 Presentation May 12, 2017 • Metrics around pentesting
Crowdsourced Security -- The Good, the Bad, and the Ugly May 1, 2017 • Bug bounty presentation
Start at Zero with the OWASP Top 10 Apr 24, 2017 • Evaluating the risk associated with your apps
Measuring Endemic Risk in AppSec Apr 10, 2017 • Visualizing the volume and risk of vulns
PCI's Lessons for Passwords Mar 30, 2017 • What PCI teaches us about handling sensitive data
Builder, Breaker, Blather, Why Mar 20, 2017 • Software engineering that leads to effective security
Out of the AppSec Abyss Mar 7, 2017 • Finding ways to make security a natural part of the SDLC
Relegating Vulns from Renewable to Rare Nov 15, 2016 • Reducing the mistakes that lead to software flaws
An Event Mutates Nov 11, 2016 • Metrics on code security
A Mutation Event Oct 25, 2016 • Bug bounty presentation
Why You Should Always Use HTTPS May 31, 2016 • A non-technical overview of why HTTPS is so important for the web
I'll ne'er look you i' the plaintext again May 3, 2016 • Let's encrypt and the security benefits from DevOps
You've Violated APE Law! Mar 18, 2016 • Secure code and the planet of the apes
Laws of Magic, Technology, and Appsec Feb 12, 2016 • Appsec versions of the quote about technology being indistinguishable from magic
Battling the Geologic Timescale of SAST Oct 19, 2015 • Metrics on code security
Bad Code Entitles Good Exploits Sep 9, 2014 • XSS example
RSA APJ 2014, CDS-W07 Slides Jul 30, 2014 • Building and Breaking Privacy Barriers
A Monstrous Confluence May 10, 2014 • Heartbleed detection tool and demonstration in C++
RSA USA 2014, DSP-R04A Slides Feb 28, 2014 • CSRF and appsec
Audit Accounts, Partition Passwords, Stay Secure Jan 6, 2014 • Cybersecurity tips to keep your accounts and systems safe
Soylent Grün ist Menschenfleisch Dec 27, 2013 • The web -- it's made of people!
Selector the Almighty, Subjugator of Elements Dec 3, 2013 • XSS payloads to take advantage of the presence of jQuery
A Default Base of XSS Oct 21, 2013 • An XSS vector via quirks of PHP integers
On a Path to HTML Injection Sep 25, 2013 • HTML injection through URL paths
Hacker Halted US 2013 Presentation Sep 20, 2013 • HTML5 security
DRY Fiend (Conjuration/Summoning) Aug 27, 2013 • Code reuse for XSS attacks
Oh, the Secrets You'll Know Aug 20, 2013 • Finding secrets in GitHub repos
...And They Have a Plan Aug 8, 2013 • Ideas on CSRF countermeasures
BlackHat US 2013: Dissecting CSRF... Aug 5, 2013 • Dissecting CSRF Attacks & Countermeasures
The Resurrected Skull Jul 1, 2013 • Finished writing The Anti-Hacker Tool Kit
Two Hearts That Beat As One Jun 24, 2013 • Crafting an XSS payload across two input parameters
A True XSS That Needs To Be False Jun 18, 2013 • XSS that takes advantage of JavaScript syntax quirks
A Hidden Benefit of HTML5 Jun 14, 2013 • Finding XSS in hidden input fields
JavaScript: A Syntax Oddity Jun 5, 2013 • Crafting XSS payloads with valid, but strange, JavaScript syntax
RVAsec 2013: JavaScript Security & HTML5 May 31, 2013 • HTML5 security
The Wrong Location for a Locale Mar 28, 2013 • XSS through localization
Insistently Marketing Persistent XSS Mar 21, 2013 • Example of persistent XSS
Plugins Stand Out Mar 14, 2013 • Insecure browser plugins
RSA US 2013, ASEC-F41 Slides Mar 8, 2013 • WebSockets security
Condign Punishment Mar 5, 2013 • Historically harsh punishment for security lapses
B-Sides SF 2013: JavaScript Security & HTML5 Feb 26, 2013 • HTML5 security
Implicit HTML, Explicit Injection Feb 5, 2013 • XSS payloads that take advantage of entity encoding
Know Your JavaScript (Injections) Jan 23, 2013 • Cross-site scripting example inside a JavaScript variable
User Agent. Secret Agent. Double Agent. Jan 21, 2013 • Explanation of CSRF flaws
A Lesser XSS Attack Greater Than Your Regex Security Jan 14, 2013 • Bypass a regex that tried to block XSS
TOCTOU Twins Dec 26, 2012 • Time of check, time of use vulns in web apps
BayThreat 2012 WebSocket Presentation Dec 8, 2012 • WebSocket security
HIQR for the SPQR Dec 5, 2012 • HTML injection quick reference for creating XSS payloads
RSA Europe 2012, ASEC-303 Slides Oct 11, 2012 • HTML5 security
Escape from Normality Oct 2, 2012 • Normalizing data before validating it
My Zombie Incursion into Amazon.com Sep 21, 2012 • Cross-site scripting (XSS) on amazon.com via a book's PDF preview
Password Interlude in D Minor Aug 27, 2012 • Password security
LinkedIn, HashedOut Jun 7, 2012 • Random passwords from the 2012 LinkedIn breach
Design vs. Implementation Jun 5, 2012 • Flaws that stem from design and implementation mistakes
HTML5 Unbound, part 4 of 4 May 31, 2012 • HTML5 security
HTML5 Unbound, part 3 of 4 May 28, 2012 • HTML5 security
HTML5 Unbound, part 2 of 4 May 25, 2012 • HTML5 security
HTML5 Unbound, part 1 of 4 May 23, 2012 • HTML5 security
OWASP/ISSA Bletchley Park 2012, Graveyards & Zombies May 22, 2012 • Presentation on security and privacy expections with HTML5
Security Summit 2012, HTML5 Unbound May 21, 2012 • Appsec and HTML5
O[Utf-8]12 Mar 6, 2012 • Unicode, UTF-8, and character encoding implications for appsec
Parsing .NET ViewState Jan 27, 2012 • Parsing .NET ViewState
The Twelve Web Security Truths Nov 16, 2011 • An appsec list inspired by RFC 1925
RSA Europe 2011 Oct 12, 2011 • Presentation on HTML5 for RSA Europe 2011
Will the Real APT Please Stand Up? Jun 16, 2011 • Advanced vs. sophisticated appsec threats
Klingon, Quenya, or Sindarin? Jun 1, 2011 • A brief note on confusion and diffusion
A Spirited Peek into ViewState, Part II May 25, 2011 • Technical aspects of implementing a parser for ViewState objects
A Spirited Peek into ViewState, Part I May 13, 2011 • A technical look at reverse engineering ViewState.
CSRF and Beyond Apr 26, 2011 • Explaining cross-site request forgery (CSRF) vulns
Advanced Persistent Ignorance Apr 14, 2011 • The advanced persistent ignorance that leads to SQL injection flaws.
Carborundum Saw Dec 11, 2010 • Cybercrime imagined in 1986 by Stanisław Lem
Electric Skillet Dec 11, 2010 • Appsec ideas from sci-fi books
Regex-based security filters drift without anchors Jun 15, 2010 • Avoiding subtle flaws in regex-based security filters
Cross-Site Tracing (XST): The Misunderstood Vulnerability May 18, 2010 • Cross-site tracing (XST) takes advantage of how a web server reflects a client's HTTP message in a respose to a TRACE request
At about this time... May 8, 2010 • The day of the triffids
Is a vuln without a useful exploit still a vuln? May 7, 2010 • Finding an XSS vuln vs. finding an exploit, and how such vulns should be prioritized
Of the 2010 OWASP Top 10, Only 3 Not Common, Only 1 Hard To Detect Apr 22, 2010 • Observations on the 2010 OWASP Top 10
RSA Presentation Mar 10, 2010 • Considering how appsec might change with new features
Primordial cross-site scripting (XSS) exploits Feb 19, 2010 • One of the earliest examples of XSS
An Alien Concept of Password Security Feb 17, 2010 • Password security lessons from the movie Aliens
Earliest(-ish) hack against web-based email Jan 4, 2010 • One of the earliest examples of XSS against web-based email
So...so you think you can tell Jul 30, 2008 • Finding flaws in web apps