Blog Index
All posts have been edited and updated from their original versions. I like to revisit them over time to update their style for readability and fix dead links.
If you're interested in the Application Security Weekly podcast, check out the episode index.
- EmDash Emphasizes Secure Design Apr 9, 2026 • Avoiding security flaws of the WordPress plugin architecture
- Towards Identifying the Economics and Efficiency of Fuzzers vs. Agents Apr 6, 2026 • Determining the trade-offs in cost, UX, and efficiency between fuzzers and agents for vuln analysis
- ASW Recap for March 2026 Apr 3, 2026 • Recap of Application Security Weekly episodes from March 2026
- ASW Recap for February 2026 Mar 6, 2026 • Recap of Application Security Weekly episodes from February 2026
- ASW Recap for January 2026 Feb 6, 2026 • Recap of Application Security Weekly episodes from January 2026
- ASW Recap for March 2025 Apr 4, 2025 • Recap of the Application Security Weekly podcast episodes from March 2025
- Go to the os.Root of a Problem Mar 18, 2025 • Celebrating path traversal and a new Go API
- From AI to XZ Utils: Spelling a New Future for AppSec Mar 17, 2025 • Emphasizing the eradication of vuln classes via secure design
- Crafting CFPs, Delivering Presentations – An ASW Topic Recap Mar 10, 2025 • Recap of the Application Security Weekly podcast episodes on CFPs and presentations
- The ASW February 2025 Recap Mar 7, 2025 • Recap of the Application Security Weekly podcast episodes from February 2025
- The ASW January 2025 Recap Feb 7, 2025 • Recap of the Application Security Weekly podcast episodes from January 2025
- So Much Phishing Feb 3, 2025 • Satirizing a misguided focus on phishing labels
- Ideas for a Localized Lighting Model Jan 27, 2025 • Wishful thoughts as a commentary on LLMs
- The ASW December 2024 Recap Jan 5, 2025 • Recap of the Application Security Weekly podcast episodes from December 2024
- The ASW November 2024 Recap Dec 6, 2024 • Recap of the Application Security Weekly podcast episodes from November 2024
- AI & LLMs – An ASW Topic Recap Nov 14, 2024 • Recap of the Application Security Weekly podcast episodes on AI & LLMs
- The ASW October 2024 Recap Nov 1, 2024 • Recap of the Application Security Weekly podcast episodes from October 2024
- The ASW September 2024 Recap Oct 4, 2024 • Recap of the Application Security Weekly podcast episodes from September 2024
- The ASW August 2024 Recap Sep 6, 2024 • Recap of the Application Security Weekly podcast episodes from August 2024
- The ASW July 2024 Recap Aug 2, 2024 • Recap of the Application Security Weekly podcast episodes from July 2024
- The ASW June 2024 Recap Jul 5, 2024 • Recap of the Application Security Weekly podcast episodes from June 2024
- The ASW May 2024 Recap Jun 7, 2024 • Recap of the Application Security Weekly podcast episodes from May 2024
- The ASW April 2024 Recap May 3, 2024 • Recap of the Application Security Weekly podcast episodes from April 2024
- The ASW March 2024 Recap Apr 5, 2024 • Recap of the Application Security Weekly podcast episodes from March 2024
- The ASW February 2024 Recap Mar 1, 2024 • Recap of the Application Security Weekly podcast episodes from February 2024
- The ASW January 2024 Recap Feb 2, 2024 • Recap of the Application Security Weekly podcast episodes from January 2024
- The ASW December 2023 Recap Jan 5, 2024 • Recap of the Application Security Weekly podcast episodes from December 2023
- The ASW November 2023 Recap Dec 1, 2023 • Recap of the Application Security Weekly podcast episodes from November 2023
- The ASW October 2023 Recap Nov 3, 2023 • Recap of the Application Security Weekly podcast episodes from October 2023
- Whether to Chase a Cycle of Dependency Vulns or Versions Oct 20, 2023 • Trade-offs in dealing with every known vuln or just doing regular version maintenance
- The ASW September 2023 Recap Oct 4, 2023 • Recap of the Application Security Weekly podcast episodes from September 2023
- The ASW August 2023 Recap Sep 1, 2023 • Recap of the Application Security Weekly podcast episodes from August 2023
- Moving on from the OWASP Top 10 Mar 30, 2023 • Why the OWASP Top 10 list no longer drives effective appsec
- Celebrating Curl's 25th Anniversary Mar 20, 2023 • 25 years of curl -- one of the most impactful open source projects
- How I Conduct Podcast Prep Calls Feb 3, 2023 • Notes for conducting prep calls for the podcast
- Some Appsec Haikus Dec 15, 2022 • Appsec and DevOps concepts expressed as haikus
- DevSecCon London 2018 Presentation Oct 19, 2018 • Building Effective DevSecOps Teams Through Role-Playing Games
- (ISC)2 Security Congress 2018 Presentation Oct 13, 2018 • DevOps Is Automation, DevSecOps Is People
- Finding an Audience to Fix Flaws Oct 4, 2018 • Collaborating with developers to prioritize fixing flaws
- Preparing for the Next Data Breach Jun 6, 2018 • Proactive steps for effective breach postmortems
- OURSA, Their Presentations, and Your Follow-up Apr 20, 2018 • Noting the 2018 OURSA pop-up conference
- OWASP AppSec Cali 2018 Presentation Jan 30, 2018 • OWASP Cali 2018 'DevOps Is Automation, DevSecOps Is People'
- The Fourth Year of the Fourth Edition Jan 14, 2018 • Celebrating the 4th edition of Anti-Hacker Tool Kit
- Crucial Timing for Critical Vulns Jan 12, 2018 • Prioritizing patching based on risk, not severity
- Resolutions for a New Year of Vulns Dec 26, 2017 • Deciding on strategies to address risk from vulns
- Secure Design Practices for Verifying Vuln Fixes Dec 12, 2017 • Addressing the underlying causes of vulns
- Avoid BugOps, Do DevOps Oct 26, 2017 • Adopting better long-term strategies to reducing flaws
- DevSecCon London 2017 Oct 20, 2017 • Bug bounty programs, pentesting, and metrics
- Bikeshredding & Threat Models Oct 1, 2017 • Avoiding analysis paralysis in threat modeling exercises
- ISC2 Security Congress, 4416 - GBU Slides Sep 29, 2017 • Metrics on pentesting
- A Week of Security Should Last All Year Jul 24, 2017 • Cybersecurity tips to always follow for protecting your devices
- RVAsec 2017: Managing Crowdsourced Security Testing Jun 8, 2017 • Metrics on bug bounty programs, pentesting, and finding vulns
- OWASP AppSec EU 2017 Presentation May 12, 2017 • Metrics around pentesting
- Crowdsourced Security -- The Good, the Bad, and the Ugly May 1, 2017 • Bug bounty presentation
- Start at Zero with the OWASP Top 10 Apr 24, 2017 • Evaluating the risk associated with your apps
- Measuring Endemic Risk in AppSec Apr 10, 2017 • Visualizing the volume and risk of vulns
- PCI's Lessons for Passwords Mar 30, 2017 • What PCI teaches us about handling sensitive data
- Builder, Breaker, Blather, Why Mar 20, 2017 • Software engineering that leads to effective security
- Out of the AppSec Abyss Mar 7, 2017 • Finding ways to make security a natural part of the SDLC
- Relegating Vulns from Renewable to Rare Nov 15, 2016 • Reducing the mistakes that lead to software flaws
- An Event Mutates Nov 11, 2016 • Metrics on code security
- A Mutation Event Oct 25, 2016 • Bug bounty presentation
- Why You Should Always Use HTTPS May 31, 2016 • A non-technical overview of why HTTPS is so important for the web
- I'll ne'er look you i' the plaintext again May 3, 2016 • Let's encrypt and the security benefits from DevOps
- You've Violated APE Law! Mar 18, 2016 • Secure code and the planet of the apes
- Laws of Magic, Technology, and Appsec Feb 12, 2016 • Appsec versions of the quote about technology being indistinguishable from magic
- Battling the Geologic Timescale of SAST Oct 19, 2015 • Metrics on code security
- Bad Code Entitles Good Exploits Sep 9, 2014 • XSS example
- RSA APJ 2014, CDS-W07 Slides Jul 30, 2014 • Building and Breaking Privacy Barriers
- A Monstrous Confluence May 10, 2014 • Heartbleed detection tool and demonstration in C++
- RSA USA 2014, DSP-R04A Slides Feb 28, 2014 • CSRF and appsec
- Audit Accounts, Partition Passwords, Stay Secure Jan 6, 2014 • Cybersecurity tips to keep your accounts and systems safe
- Soylent Grün ist Menschenfleisch Dec 27, 2013 • The web -- it's made of people!
- Selector the Almighty, Subjugator of Elements Dec 3, 2013 • XSS payloads to take advantage of the presence of jQuery
- A Default Base of XSS Oct 21, 2013 • An XSS vector via quirks of PHP integers
- On a Path to HTML Injection Sep 25, 2013 • HTML injection through URL paths
- Hacker Halted US 2013 Presentation Sep 20, 2013 • HTML5 security
- DRY Fiend (Conjuration/Summoning) Aug 27, 2013 • Code reuse for XSS attacks
- Oh, the Secrets You'll Know Aug 20, 2013 • Finding secrets in GitHub repos
- ...And They Have a Plan Aug 8, 2013 • Ideas on CSRF countermeasures
- BlackHat US 2013: Dissecting CSRF... Aug 5, 2013 • Dissecting CSRF Attacks & Countermeasures
- The Resurrected Skull Jul 1, 2013 • Finished writing The Anti-Hacker Tool Kit
- Two Hearts That Beat As One Jun 24, 2013 • Crafting an XSS payload across two input parameters
- A True XSS That Needs To Be False Jun 18, 2013 • XSS that takes advantage of JavaScript syntax quirks
- A Hidden Benefit of HTML5 Jun 14, 2013 • Finding XSS in hidden input fields
- JavaScript: A Syntax Oddity Jun 5, 2013 • Crafting XSS payloads with valid, but strange, JavaScript syntax
- RVAsec 2013: JavaScript Security & HTML5 May 31, 2013 • HTML5 security
- The Wrong Location for a Locale Mar 28, 2013 • XSS through localization
- Insistently Marketing Persistent XSS Mar 21, 2013 • Example of persistent XSS
- Plugins Stand Out Mar 14, 2013 • Insecure browser plugins
- RSA US 2013, ASEC-F41 Slides Mar 8, 2013 • WebSockets security
- Condign Punishment Mar 5, 2013 • Historically harsh punishment for security lapses
- B-Sides SF 2013: JavaScript Security & HTML5 Feb 26, 2013 • HTML5 security
- Implicit HTML, Explicit Injection Feb 5, 2013 • XSS payloads that take advantage of entity encoding
- Know Your JavaScript (Injections) Jan 23, 2013 • Cross-site scripting example inside a JavaScript variable
- User Agent. Secret Agent. Double Agent. Jan 21, 2013 • Explanation of CSRF flaws
- A Lesser XSS Attack Greater Than Your Regex Security Jan 14, 2013 • Bypass a regex that tried to block XSS
- TOCTOU Twins Dec 26, 2012 • Time of check, time of use vulns in web apps
- BayThreat 2012 WebSocket Presentation Dec 8, 2012 • WebSocket security
- HIQR for the SPQR Dec 5, 2012 • HTML injection quick reference for creating XSS payloads
- RSA Europe 2012, ASEC-303 Slides Oct 11, 2012 • HTML5 security
- Escape from Normality Oct 2, 2012 • Normalizing data before validating it
- My Zombie Incursion into Amazon.com Sep 21, 2012 • Cross-site scripting (XSS) on amazon.com via a book's PDF preview
- Password Interlude in D Minor Aug 27, 2012 • Password security
- LinkedIn, HashedOut Jun 7, 2012 • Random passwords from the 2012 LinkedIn breach
- Design vs. Implementation Jun 5, 2012 • Flaws that stem from design and implementation mistakes
- HTML5 Unbound, part 4 of 4 May 31, 2012 • HTML5 security
- HTML5 Unbound, part 3 of 4 May 28, 2012 • HTML5 security
- HTML5 Unbound, part 2 of 4 May 25, 2012 • HTML5 security
- HTML5 Unbound, part 1 of 4 May 23, 2012 • HTML5 security
- OWASP/ISSA Bletchley Park 2012, Graveyards & Zombies May 22, 2012 • Presentation on security and privacy expections with HTML5
- Security Summit 2012, HTML5 Unbound May 21, 2012 • Appsec and HTML5
- O[Utf-8]12 Mar 6, 2012 • Unicode, UTF-8, and character encoding implications for appsec
- Parsing .NET ViewState Jan 27, 2012 • Parsing .NET ViewState
- The Twelve Web Security Truths Nov 16, 2011 • An appsec list inspired by RFC 1925
- RSA Europe 2011 Oct 12, 2011 • Presentation on HTML5 for RSA Europe 2011
- Will the Real APT Please Stand Up? Jun 16, 2011 • Advanced vs. sophisticated appsec threats
- Klingon, Quenya, or Sindarin? Jun 1, 2011 • A brief note on confusion and diffusion
- A Spirited Peek into ViewState, Part II May 25, 2011 • Technical aspects of implementing a parser for ViewState objects
- A Spirited Peek into ViewState, Part I May 13, 2011 • A technical look at reverse engineering ViewState.
- CSRF and Beyond Apr 26, 2011 • Explaining cross-site request forgery (CSRF) vulns
- Advanced Persistent Ignorance Apr 14, 2011 • The advanced persistent ignorance that leads to SQL injection flaws.
- Carborundum Saw Dec 11, 2010 • Cybercrime imagined in 1986 by Stanisław Lem
- Electric Skillet Dec 11, 2010 • Appsec ideas from sci-fi books
- Regex-based security filters drift without anchors Jun 15, 2010 • Avoiding subtle flaws in regex-based security filters
- Cross-Site Tracing (XST): The Misunderstood Vulnerability May 18, 2010 • Cross-site tracing (XST) takes advantage of how a web server reflects a client's HTTP message in a respose to a TRACE request
- At about this time... May 8, 2010 • The day of the triffids
- Is a vuln without a useful exploit still a vuln? May 7, 2010 • Finding an XSS vuln vs. finding an exploit, and how such vulns should be prioritized
- Of the 2010 OWASP Top 10, Only 3 Not Common, Only 1 Hard To Detect Apr 22, 2010 • Observations on the 2010 OWASP Top 10
- RSA Presentation Mar 10, 2010 • Considering how appsec might change with new features
- Primordial cross-site scripting (XSS) exploits Feb 19, 2010 • One of the earliest examples of XSS
- An Alien Concept of Password Security Feb 17, 2010 • Password security lessons from the movie Aliens
- Earliest(-ish) hack against web-based email Jan 4, 2010 • One of the earliest examples of XSS against web-based email
- So...so you think you can tell Jul 30, 2008 • Finding flaws in web apps