Wednesday, June 21, 2006

Keeping up on web application security

I'm routinely asked about how to keep up with whats going on in web application security. Its true there is a lot going on all the time, but the interesting stuff doesn't necessarily originate from the same location. So I have to dig for my news from variety of sources.

There are several good websites and blogs that have excellent content and RSS feeds. The Web Security Mailing List is an absolute must to keep up with the lastest community chatter. I go to a lot of conferences and meetings where I speak with people about what they're doing day to day about webappsec. What solutions are working and what's not. Then I also read the latest security books on the subject, a couple of which I wrote the foreword to. I also routinely speak with several the top webappsec experts about what they are working one exchange tips. I use Google Blog Search and Ice Rocket to search for very specific terms. The results are available in XML format which allows me to parse through lots of data very quickly. I'll perform searches for several companies in the space, a handful of experts I follow, and myself. :)

A couple of intesting web application hacks

PayPal Security Flaw allows Identity Theft

JavaScript worm targets Yahoo!

We've known about the possible risks for years and it looks like Cross-Site Scripting (XSS) is now being used by the bad guys.

Why I hate XML

Big Picture of XML Specification