Sep 14, 2009
How I tell my clients that XSS is bad
The mixed bag of reactions to XSS or Cross Site Scripting vulnerabilities is interesting to watch. As a security professional, I’ve audited banking applications based on web technologies and have in all cases come away with at least one XSS vulnerability. When presented to the client and to the vendor, I get some interesting reactions. “You can’t compromise an application using XSS” Before I... read more
Sep 10, 2009
Three reasons why you should segment your SCADA networks
The recent report on eWeek regarding how attackers managed to get a foot hold into an energy company through a phishing attack is not something new. It is not magical because stuff like this happens elsewhere on a more frequent basis. What makes this so noteworthy is the fact that the company was in control of a nation’s critical infrastructure: its energy. Also noteworthy is the fact that it was... read more
