Miscellaneous Security

Reading time: 2 – 2 minutes

Today, I thought I would post great resources for information. If you want to be good at security, it means you need to be well read.

Here are the top five web application security blogs in no particular order.

• Jeremiah Grossman – Probably the most read web application security blogger. Jeremiah reads all of the material so you don’t have too.
• Rsnake / Robert Hansen - The other most read web application security blogger. Interesting Note: Graduated my alma mater.
• Holistic InfoSec – Russ McRee’s blog. Russ puts people on the stove. He posts are controversial and exciting. According to ISS, Russ was one of the Top Vulnerability Discoverers in 2008. Keep an eye on him, it is interesting to see what he will do next.
• Billy Rios – Also known as the XS-Sniper! Billy is behind some of the most innovative research as of late. He is the man behind Gifars and URI overflows. He is also known to smuggle olives on occasion.
• Nitesh Dhanjani – Although he covers a wide range of topics outside of web application security, Nitesh continually blogs about topics that are thought-provoking.

Reading time: 1 – 2 minutes

A thought experiment asking the following: “If you put Anti-virus on every desktop in the world, would you stop viruses from existing?”

It seems that a critical assumption that is made is faulty. Early in the post, Rsnake answers the above question stating, “I think any reasonable person who understands how viruses work would say no. It will, however, make the bad guys work harder and iterate faster to get by the filters (boutique malware).”

But would virus developers continue to develop? At some point all attackers, and computer scientists, are generally lazy. Attackers want to follow the path of least resistance. If every desktop in the world had Anti-virus installed, would the attackers actually want to “work harder and iterate faster?”

linkage: Silver Bullet Metric ha.ckers.org web application security lab