Research

I have written for the Open Group's Secure Enterprise 2.0 group a white paper about Web 2.0 security threats.

Discussing Web 2.0 security is difficult as Web 2.0 itself is somewhat blurry term. Most discussion on Web 2.0 security tends to be on the technical level, however Web 2.0 is not a technology, but rather a concept. When researching the issue, I was surprised to find out that Tim Barnes-Lee's, the Web conceiver views the original web as the 1st Web 2.0 implementation. After considering this, I tend to agree. Wikis are for sure a Web 2.0 application and they exist since 1994.

A recent post in the ModSecurity mailing list prompted me to discuss a prevailing misconception regarding XSS protection. The poster requests a ModSecurity rule to block several HTML tags include "<li>" and "<marquee>".

The web hacking incidents database provides a tool for assessing the risk in insecure web applications. Such risk analysis is important in order to make sure that resources are spent wisely when fixing or protecting web applications. The attached presentation discusses risk analysis for security of web applications, and addresses the role WHID can have in such an analysis.

The outline of the presentation is: