The Best of Application Security 2009 (Mid-Year)

Every year the application security industry receives a number of phenomenal research papers and other great contributions. Even for those dedicated to appsec as their primary job function it is challenging to stay up-to-date, which means resources to help track them become extremely valuable. As such Ivan Ristic and I have been working on the "The Best of Application Security", a list of the ten most remarkable contributions (in no particular order) published bi-annually and then combined at year end. Obviously some painful, but necessarily omissions had to be made. If readers disagree with the list, great! Please comment your suggestions for consideration. Lastly this effort will be different from the annual Top Ten Web Hacking Techniques, which is solely dedicated to breaking stuff.

• Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!
• Mozilla Content Security Policy proposal
• Software Security Maturity Models (BS-IMM & OpenSAMM)
• Verizon 2009 Data Breach Investigations Report
• Vulnerability Prevention Cheat Sheets (XSS & SQL Injection)
• Creating a rogue CA certificate
• HTTP Parameter Pollution
• CWE/SANS TOP 25 Most Dangerous Programming Errors
• Socket Capable Browser Plugins Result In Transparent Proxy Abuse
• Anti-Clickjacking w/ Internet Explorer 8, NoScript and Safari 4.0