The goal of this release is to provide all the necessary resources to establish and set up a fully functioning security exceptions program at your company. - Robert Auger (@robertauger) In this pack, we cover: Security Exception Definitions: This document describes common terminology used in an exceptions process, outlines definitions for the...
Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0
I'm pleased to announce our fourth release, the Vulnerability Management Program Pack. The goal of this release is to provide everything you'd need to establish and setup a fully functioning vulnerability management program at your company. - Robert Auger (@robertauger) In this pack, we cover: Vulnerability Level Definitions: This document outlines vulnerability...
Announcing SecTemplates.com release #2: External penetration testing program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the...
Announcing SecTemplates.com and the incident response program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is an announcement about my latest project. Introduction I've worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself...
20 years of CGISecurity: What appsec looked like in the year 2000
Just realized that 20 years have passed since I started this site to learn more about web security threats. What 'appsec' looked like in 2000 OWASP didn't exist yet, nor did WASC Vulnerability disclosure was the wild west. Rain forest puppy (RFP) (that guy who discovered sqli) had just created the first...
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
CGISecurity turns 9
It's been 9 years since I started this site as an excuse to learn more about web application security. To put this into perspective the following terms hadn't been coined yet CSRF/XSRF/Cross-site Request Forgery XST Web 2.0 AJAX/XMLHTTP Silverlight CRLF Injection SDL/SDLC Firefox Clickjacking Sidejacking HTTP Request Smuggling HTTP Response Splitting HTTP...
Heading out to blackhat/defcon
I'm heading out later today for my yearly Blackhat/Defcon trip and looking to attend the following blackhat talks as of now. Day 1 Veiled - A Browser Based Darknet Practical Windows XP/2003 Heap Exploitation Fighting Russian Cybercrime Mobsters More Tricks for Defeating SSL Enterprise Java Rootkits The Language of Trust State of...
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...
New Website Changes
Some of you may have noticed the changes this site has undergone in the past 2 months. Here's a rundown of the new additions. - New site design - RSS feeds with partial story content - ATOM Feeds have been added - News content archived on a per month basis - User...
Site Migration To New Hoster
I am migrating this site to a new hoster so you may notice some strangeness on the site in the next day (including the site not working). Additionally the RSS feed which currently points to cgisecurity.net will change to cgisecurity.com so you may see double entries in your rss reader.
Site News: We want to hear from you!
As some of you may have noticed I've expanded the news beyond purely technical articles/papers/advisories to security process as well. Rather than alienate many of you I'm asking what are the sorts of things you'd like to see posted more often? What do you care about most? - Advisories - Product Press...
CGISecurity turns 8!
I'm happy to announce CGISecurity's 8th year providing website, and application security news as of today. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective - The following terms hadn't been coined yet - CSRF/XSRF/Cross-site Request Forgery...
Welcome to the new website!
Welcome to the new and improved CGISecurity.com! After years of using the old design I've decided it was time for a change and thanks to my homeboy Romain we have a new design. In addition to the design you can now post comments, get partial story bodies in RSS feeds, and actually...
CGISecurity turns 7
I'm happy to announce CGISecurity's 7th year providing website, and application security news as of this week. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective - The following terms hadn't been coined yet - CSRF/XSRF/Cross-site Request...
RSS Security Section Added
I've decided that with the recent buzz of RSS security news stories, and mailing list posts that it needs its own section. If there is a story or article that you feel I've missed please let me know. RSS Security Section: RSS Security
CGISecurity.com needs a banner!
The time has come and I really need a new logo/banner for this website! I am offering website advertising (On every page) for a minimum of one month to a person who can provide me with a new 259x68px, and 120x60px logo. If you've got what it takes to design us a...
"2005 The Year of Phishing"
Phishing has exploded in 2005 so I've decided to dedicate a section of this site towards it. I have created a Phishing resource page providing a list of tools, news articles, whitepapers, and solutions to phishing. If there is a resource that I've missed please let me know. Phishing Link: Phishing HomePage
Website Updates
I've added a bunch of papers to The Library section be sure to check them out!
Added Penetration Testing Section
I have created a quick reference section for the web application penetration tester. This section breaks down some of our documentation into categories a pen-tester would care about. We provide information on Session ID Attacks, Cross Site Scripting, SQL Injection, HTTP Header Modification, Cookie poisoning and more. This new section can be...
Database Server section added
I have added a Database Server Security section to this site. This will cover database server security specifically. Our first additional is Oracle. Now onto a few site changes: • I have removed the Intrusion detection tab for the time being because I don't feel I'll be working on it for at...
Tomcat security page added
We have added a Apache Tomcat Security page to our application server section. This page will provide links to tutorials, downloads, security documentation, and forums you can go to talk about tomcat security. We will also be releasing a Resin Application server security section on this website sometime this month. Documentation on...
Site additions
I have recently added Web Services Security, and WebSphere sections to this site. Sometime this month I will also be adding a Weblogic, Apache, and IIS security sections that will provide documentation, and links to relevant security resources. If there is something you would like to add, or see please Email me