Monday, January 26, 2009

OWASP Podcast #5 - Interview with Gary McGraw

I just finished updating the OWASP Podcast series RSS/iTunes feed to include OWASP Podcast #5 - an interview with Gary McGraw! You can read the show notes here, download the mp3 file directly here, or subscribe to the OWASP Podcast series RSS Feed here. If you use the iTunes podcast management feature, you can subscribe to the OWASP Podcast series via iTunes here.

The podcast starts with a 30 second introduction from the song "To You Right Now" off the album 100 Feet Above the Ground. Gary performed the mandolin, fiddle, sang backup vocals and produced this album.

Gary did not shy away from any difficult questions in this interview. In fact, he encouraged them. I was very impressed with Gary's courage to dive into controversy - as well as cause it.

Thursday, January 22, 2009

Browser HTTPOnly Support Update

If you update your Windows OS with the the MSXML Core Services patch MS08-069 then IE 8 Beta 2 and IE 7 will prevent HTTPOnly cookies from being read by XMLHTTPRequest headers (set-cookie headers only) within IE. As of this writing, IE 8 Beta 2 and IE 7 are the only browsers that truly stop HTTPOnly set-cookie leakage in XMLHTTPRequest headers. However, IE 8 Beta 2 and IE 7 are not the HTTPOnly-support winners, yet. IE 8 beta 2 and IE 7 with MS08-069 still leaks set-cookie2 HTTPOnly cookies in XMLHTTPRequest headers!

FireFox is on track to fix this obscure vector, completely. The FireFox patch for XMLHTTPRequest HTTPOnly protected is marked RESOLVED FIXED and will go live shortly.

Even Safari/Chrome will also see complete set-cookie/set-cookie2 XMLHTTPRequest exposure protection shortly - the patch is complete as of 12/21/08.

Final really obscure note, the OWASP WEBGOAT HTTPOnly lab is broken and does not show IE 8 Beta 2 and IE 7 with ms08-069 as complete in terms of HTTPOnly protection. However, Robert Hansens' HTTPOnly test page now includes set-cookie and set-cookie2 checks for XMLHTTPRequest exposure and should be used until OWASP fixes http://code.google.com/p/webgoat/issues/detail?id=18 .

And most importantly, I updated the OWASP HTTPOnly page to reflect this information.

Tuesday, January 20, 2009

OWASP Podcast #4 - Developers Guide

I just finished publishing OWASP Podcast #4 - an interview with Andrew van der Stock - over the status and future of the OWASP Developers Guide.

You can check out the show notes for OWASP Podcast #4, download the mp3 file directly, subscribe to the RSS feed, or subscribe directly to iTunes.

I 'm really exited to see what Andrew does in the upcoming revision to the OWASP Developers guide. This key OWASP reference is key for all of the "builders" out there is sure to raise the bar and contribute significantly to achieve industry-wide application security excellence. :)

Wednesday, January 7, 2009

OWASP Podcast #3 - Live CD

I just finished publishing OWASP Podcast #3 - an interview with Matt Tesauro.

Matt is the OWASP Live CD Project lead. He's also a member of the Global Project and Tools Committee. His interview is about the OWASP Live CD Project history, status and future.

You can check out the show notes for OWASP Podcast #3, download the mp3 file directly, subscribe to the RSS feed, or subscribe directly to iTunes.

I found Matt to be a very motivated and inspired quartermaster for OWASP. I'm certain he will continue to grow the OWASP Live CD project and I look forward to hearing about his progress in the near future.