Michael Sutton's Blog -

Michael Sutton's Blog

Sort by: Most Recent | Most Viewed | Most Commented

  • Michael Sutton's Blog Status Change

    Michael Sutton's Blog will no longer be an active HP Application Security Center blog. Michael is no longer with HP, and won't be actively maintaining this blog. While no future comments will be accepted, all posts will still be archived and available...

  • PCI Requirement 6.6 - The Clock is Ticking

    Welcome to 2008. By now you have no doubt made and broken a number of New Year's resolutions. Not to worry if you've already wasted $50 bucks on a gym membership, there's always next year. I do however hope that taking PCI seriously was on...

  • Microsoft Black Tuesday - June 2007

    The June edition of Microsoft Black Tuesday marked two important events - an all out assault on client side vulnerabilities and the end of the security honeymoon for Windows Vista. I've been saying for some time now that we're in the midst of...

  • Identifying Web Application Technologies

    Jeff Forristal has an interesting initiative and for those able to help out, there are cash and prizes to be had! Well ok, no cash, but you could walk away with some stylish SPI clothing or a few drinks on us. Jeff is looking for assistance in identifying...

  • Microsoft Black Tuesday - May 2007

    The break that we were given in April when only 8 vulnerabilities were delivered is now a long lost memory. While May was not a record month, it was big with 18 overall vulnerabilities in seven advisories. More importantly, the vulnerabilities were strongly...

  • Educating Developers

    I spend much of my time on the road conducting presentations on application security for various audiences. Of all the groups that I speak to, developers are a favorite of mine. Developers get a bad rap when it comes to security. They are generally blamed...

  • Microsoft Black Tuesday - April 2007

    The month of April started off with a bang, when Microsoft released MS07-017 , a rare out of cycle patch but ended with a fizzle, with 8 additional vulnerabilities. While four critical vulnerabilities were addressed, that is down significantly from the...

  • Debug Message XSS Vulnerabilities

    I was excited this afternoon when I thought that I'd stumbled upon a universal XSS vulnerability in verbose ColdFusion error messages. While testing a site, I had noted that a verbose debug error message (see below) echoed back many of the request...
    Filed under: ,

  • What is Web 2.0?

    Web 2.0 may be the most ill defined technology term to date. Everyone uses the term but I have yet to hear a decent definition of it. O'Reilly Media is credited with coining the phrase and Tim O'Reilly defines Web 2.0 as: " Web 2.0 is the...
    Filed under: ,

  • Microsoft Black Tuesday - February 2007

    This month Microsoft decided to play catch-up and hit us with a hefty 12 security bulletins covering 20 vulnerabilities, 13 of which were critical. The volume was not surprising given that Microsoft pulled four of eight planned bulletins four days before...
    Filed under: ,

  • Phree Phishing

    I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that posting I noted how I was surprised to find that Yahoo! was actually hosting phishing sites designed to phish Yahoo! credentials. Not surprisingly...
    Filed under:

  • How Prevalent Are XSS Vulnerabilities?

    How Prevalent Are Cross Site Scripting (XSS) Vulnerabilities? Based on a recent experiment, I wasn't surprised to see that they're everywhere and finding dozens at a time doesn't present much of a challenge. Back in September, 2006 I sought...
    Filed under: ,

  • Evaluating Security Tools

    All companies face the challenge of evaluating security tools that they will procure, but knowing where to start can be a daunting task. While there's no perfect way to ensure that a product meets your needs a little due diligence is essential. Fortunately...

  • Decoding the Google Blacklist

    After publishing last week's blog entitled ‘A Tour of the Google Blacklist' , I received a few queries about Google's encoded/hashed blacklist (enchash). This blacklist is separate from the unencoded blacklist that was the focus of the...
    Filed under:

  • Microsoft Black Tuesday - January 2007

    This month's bulletins leave us with two major headlines. First, ‘What happened to half of the bulletins?' and secondly, Internet Explorer 7.0 isn't apparently quite as bullet proof as advertised. Even before Black Tuesday arrived this...
1 2 3 Next >
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems