I have been running around lately and haven’t had a chance to post. Here is what has been going on:
On Wednesday April 19th I spoke to the San Antonio chapter of the Open Web Application Security Project (OWASP) about securing AJAX applications. The talk covered a number of design and coding security issues for AJAX web apps and introduced our sprajax tool. Sprajax allows its users to spider AJAX-enabled web applications, detect which AJAX frameworks are in use, and then fuzz the AJAX endpoints to look for errors that might have security implications. The tool is basically finished but I am cleaning up the GUI, putting together an installer and tidying up the demo application so that it is easy for users to get started. The tool and source code will hopefully be released this week but that might bleed into Monday or Tuesday of next week. The slide deck from the presentation is available online here.
Yesterday I was up in Dallas manning the Denim Group booth for the Microsoft “Security Matters” conference. Got to see J Sawyer speak about SDL and that was fun. Also talked to a lot of folks about web application security. My “lead in” question to the conference attendees was “What is your organization doing to secure your web applications?” and unfortunately the most common answer I received was “Nothing” with a close second being “We have a firewall and we run anti-virus” Yikes! When are folks going to realize that when ports 80 and 443 are open to the Internet that they need to make sure that their web applications are secure?
On May 3rd (next week) I will be speaking at a DevCare event in San Antonio about Smart Client applications. If you are interested in attending, please click here.
dan _at_ denimgroup.com