So the next Melbourne OWASP meeting is just around the corner. Unfortunately it seems they are inclined to keep most meetings at times where I cannot attend. My own fault for not being a city rat I guess. I will try to make it onto the circuit this year. Perhaps I should do a presentation on ewts once I get some useful data in there.
Eldar Marcussen: January 2009 Archives
Since my previous biweekly project has come to a halt I have decided to shelve it for now. In it's stead I have started a new sourceforge project to keep me busy. The new project is called "Evil Website Testing Suite" or ewts for short.. It was initially envisioned as a coverage testing suite for web application vulnerabilities, but after picking apart some commercial crawlers I came to the conclusion that there aren't enough malformed and evil websites out there that will allow any web interfacing code to be thoroughly security tested. This is the gap that ewts aim to fill.
So it's well past new years eve and I am finally posting a small update.
I have been reading all the other blogs and figured it was time I posted my own "predictions for 2009" style post where I warn against increased attacks of various kinds and offer my hopes for the future. Unfortunately I'm not optimistic...things usually get worse before they get better.
Even with the increased focus on security lately we have several fundamental holes that we haven't managed to sweep under the carpet in the past 20 or so years. Everything from buffer overflows to SQL injections which we have proven solutions for still exist in the wild with varying frequency. With the increase in the number of software, websites, "intelligent devices" and other technological advances there will be an even greater attack surface available to the "bad guys".
I will stop myself short of writing a complete doom and gloom post here. There is light at the end of the tunnel, progress is being made and awareness is increasing. Personally I think the security industry as a whole needs to lift their game and stop selling snake oil to line their own pockets with gold. We need to adhere more to academia, be open about research, give credit where due and try to find solutions that prevents, not cures problems. The time of reactive thinking and response need to come to an end. So if you achieve nothing else in 2009, please try to focus on proactive solutions.
I have been reading all the other blogs and figured it was time I posted my own "predictions for 2009" style post where I warn against increased attacks of various kinds and offer my hopes for the future. Unfortunately I'm not optimistic...things usually get worse before they get better.
Even with the increased focus on security lately we have several fundamental holes that we haven't managed to sweep under the carpet in the past 20 or so years. Everything from buffer overflows to SQL injections which we have proven solutions for still exist in the wild with varying frequency. With the increase in the number of software, websites, "intelligent devices" and other technological advances there will be an even greater attack surface available to the "bad guys".
I will stop myself short of writing a complete doom and gloom post here. There is light at the end of the tunnel, progress is being made and awareness is increasing. Personally I think the security industry as a whole needs to lift their game and stop selling snake oil to line their own pockets with gold. We need to adhere more to academia, be open about research, give credit where due and try to find solutions that prevents, not cures problems. The time of reactive thinking and response need to come to an end. So if you achieve nothing else in 2009, please try to focus on proactive solutions.