Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I admit I didn't know what I was doing, and looked at this site as an excuse to learn more about/discuss web based threats. A lot has happened since I first started this site, here are a few things to put it into perspective.

• The vulnerability used by Code Red/Nimda hadn't yet been discovered
• The Java Struts framework was only a few months old
• The securityfocus webappsec list hadn't been created/renamed yet
• www.incidents.org hadn't been renamed to isc.sans.org yet
• Cross site scripting was less than a year old
• The term XSS was less than 6 months old
• You could still find vulnerable PHF machines (so I've been told :)
• Web Application Security was refereed to as 'CGI Security' hence why I picked this domain name.
• I was getting between 1-10 unique visitors a day compared to the 2,000-4,000 now.
• Web based worms were theoretical
• C# hadn't yet been renamed from "Cool"
• RFP's Responsible Disclosure Policy was a few months old
• XSS was lame (oh wait....)

The following security sites didn't exist

• http://jeremiahgrossman.blogspot.com
• http://ha.ckers.org
• http://www.securitybloggersnetwork.com
• http://www.darkreading.com
• http://www.milw0rm.com
• http://www.webappsec.org/
• http://www.owasp.org
• http://www.schneier.com/ (Bruce Schneier's blog)

The following security terms hadn't been published/coined/discovered yet

• CSRF/XSRF/Cross-site Request Forgery/Session Riding/One Click Attacks
• XST
• HTTP Request Smuggling
• HTTP Request Splitting
• HTTP Response Splitting
• HTTP Response Smuggling
• Session Fixation
• DOM XSS
• LDAP Injection
• Click Jacking
• Proxy Jacking
• Remote File Inclusion
• MX Injection
• XPath Injection
• XQuery Injection
• XML Injection
• Cyber snarfing (ok I just made that one up)
• Integer Overflows (from a vuln perspective)
• Heap Spraying
• Double Free
• Null Pointer Dereference (from a exploitability perspective)
• Zero Allocation Vulnerabilities
• Return Oriented Programming
• Props to Sensepost for making gathering this list easier.

The following browser technologies/terms didn't exist

• httpOnly
• EV-SSL
• X-FRAME-OPTIONS
• Iframe security attribute
• NoScript
• HTTP Strict Transport Security
• Webkit
• Google Chrome
• Firefox
• Tab isolation in browsers such as chrome didn't exist

The following tools/products/frameworks/technologies did not exist

• Modsecurity
• Burp Proxy
• Nikto
• Paros
• PaX
• Metasploit
• ASLR
• GRSecurity Kernel Patch
• Microsoft's .NET framework/ASP.NET
• SilverLight
• JavaFX
• Ruby on Rails
• Django
• Google Android
• Apple iPhone and iPod
• OWASP ESAPI

The following security processes/methodologies didn't exist

• Microsoft's Secure Development Lifecycle
• DREAD
• BSIMM
• STRIDE

The following security compliance standards didn't exist

• PCI / PCI-DSS

The following security products/projects didn't exist

• WASC Threat Classification
• OWASP Top Ten
• The Web Security Mailing List
• Daily Dave List