Maui was a lot of fun, but more on that later. Today I got to get back to digital reality - wade through mountains of email, unread RSS feeds, and unplayed voicemail. Looks like while I was away there was a lot of chatter about PCI section 6.6 and WAFs, which make sense since the compliance date is only about six months away. Gary McGraw (DarkReading) and Joel Dubin (SearchSecurity) had some sage advice, but it was Ryan Barnett’s words that really spoke to me. Ryan discusses vulnerability REMEDIATION with respect to PCI, which is all too often overlooked, and highlights some interesting verbiage. And since Ryan works closely with ModSecurity, it’s fitting to pass along that Ivan Ristic just announced the RC for version 2.5 and it has with some slick sounding features.
Ironically while at the beach, I made Slashdot by sharing my personal “Web” surfing habits and discussing how to defend against CSRF attacks. Nah nah :) – this was the result of an interview I did some weeks back with Sarah D. Scalet of CSO and it was just recently posted. Gotta hand it to the Slashdot crowd for their consistency in NOT reading the story before commenting. The first person actually asks “How exactly is this strategy going to protect you from a keylogger?” and then the conversations degrades for there. Seesh. But Marcin (TSSCI) posted a nice little trick I haven’t tested out yet to simultaneously run multiple Firefox profiles, which should have nearly the same effect I was going for.
And while sla.ckers.org and XSSed.com are outing vulnerable websites, other websites suffered some Web security related incidents. Hundreds of MD Web Hosting customers websites were SE0wN3d, F-Secure Forum was defaced by a Turkish group, adult-entertainment hoster Too Much Media Corp who supports thousands of websites was compromised, an Ohio court website was penetrated using Credential/Session Prediction where several victim suffered identity theft, and the Tuscon police department website is having their fill of SQL Injection as well. All fun and games in webappsec land.