Wednesday, May 13, 2009

5 great Web security blogs you haven't heard of

I read a tremendous amount of online material, much of which originates from 200+ RSS feeds. Sure the well-known blogs continue to generate great timely content, but there are a few diamonds in the rough that don't get a lot of attention. They instead focus on quality rather than quantity in their postings offering a deep infosec business and technical analysis on subjects not well covered elsewhere. Figured I should share of a few of my favorites.

Boaz Gelbord
With a business rather than technical tone, Boaz discusses how organizations act and react to certain events in the industry such as compliance, regulations and law. Management, spending, and incentives are routinely explored that influence organizational behavior.

ZScaler Research - Michael Sutton, Jeff Forristal, etc.
Heavy on the technical details and very timely in regards to Web security related issues. Cross-Site Scripting, Browser Security, Worms, etc etc. What more did you want!?

Tactical Web Application Security - Ryan Barnett
A technical and operational point of view on Web security matters with great attack analysis. - Russ McRee
The best way I can describe Russ is he keeps the infosec industry honest, and that includes vendors AND website owners. While exceptionally fair minded, he's not at all shy to call BS when he sees it.

The Spanner - Gareth Heyes
Deeply technical, browser vendors beware of Gareth Heyes the master of HTML/JS code obfuscation. Ecodings, strange "features", and XSS are just some of the topics covered in stelar detail.


Raz0r said...

I thought The Spanner was a well known blog...

Anonymous said...

Thanks for sharing! Yes, all of them look great - and I guess I should spend a little more time again looking for new information sources.

Pento said...

Thanks! Just added to RSS reader

Michael Sutton said...

Thanks for the plug Jeremiah - much appreciated.

Michael Sutton
VP, Security Research

Rafal Los said...

Russ's blog is the only one I already had in my reader... thanks for the heads up on the rest!

As the list gets too long to keep track of I need to whittle it down, and sometimes good ones fall off.


Russ McRee said...

Thank you, Jeremiah. Too kind.

Anonymous said...

Is it posiible for you the post the other 200 rss feeds that you read?

Im suscribed to some feeds but im not sure which ones are the best.



Raul Diaz said...

Thanks a lot! It helps me to increase my security knowledge. You're the best.

Jeremiah Grossman said...

@Mauricio, if you ping me via email, I've be happy to give you my OPML file. Don't know of any other decent way to share it out online.

Anonymous said...

Hi Jeremiah

Our radio station website was hacked last week with a possible SQL injection. Every news story had viagra seo spam placed at the end of every story. It was made invisible on the frontend.

Our site is written in asp. Our site is hosted by our web developers in their KL datacentre.

Should the web hosting company take responsibility for the attack? Could they have prevented it by tighter hosting security or does it lay in the sites weakness.

Do I just have to wear the cost or repairs?

I'd appreciate your thoughts.


Jeremiah Grossman said...

@Andrew, if the code was your own (and not the ASPs), I'd say you unfortunately are left holding the bag with regards to costs and responsibility. That is unless they've taken on some contractual liability, but doubtful. Also the ASP likely could not have done much about such an attack against vulnerable custom code with traditional security technology.

Some ASPs are now offering "security" as a differentiating factor and installing Web Application Firewalls. Check out:

Hope this helps.

sports handicapping said...

Thanks for sharing! Yes, all of them look great - and I guess I should spend a little more time again looking for new information sources.

Anonymous said...


Unfortunately SQL injection is due to a lack of sufficient input validation and sanitization within your web applications code.

Ultimately the fault lies with yourselves/your developers - rather than your webhost who may/may not be responsible for infrastructure level issues (for example an out of date webserver that contains vulnerabilities).

In terms of preventing SQL injection, the most effective way is to use prepared statements (also known as parameterized queries). Also, don't forget to have frequent penetration tests to find issues before someone else exploits them.

Realise this comment was made some time ago, but hopefully this will be useful to other readers too.

James, @_securatek