Blog :: by Wade Woolwine - Latest Comments

Re: RE: Alignment of Interests in Web Security

søgemaskineoptimering københav — Sun, 13 Mar 2011 13:27:36 -0000

When it comes to standards (de-facto or otherwise), guidance, terminology, and nomenclature, Web security is an exceptionally confusing and ...

Re: RE: Alignment of Interests in Web Security

gold coast hypnosis — Mon, 07 Mar 2011 09:50:11 -0000

This despite, or perhaps because of, how many directions the company is pursuing at once (data center, consumer devices, enterprise, physical security, voice, video, settop boxes, Internet Web conferencing, smart grid energy ...). ...

Re: Thoughts on an AppSec Program (Pt. 4) – Metrics and defining success

carrier air conditioners — Thu, 29 Jul 2010 19:28:17 -0000

thats one sweet article ...,

Re: mod_auth_kerb and mod_authnz_ldap bring Apache web apps into the Enterprise

JOE — Wed, 03 Feb 2010 12:38:30 -0000

Is it even possible to use LDAPVerifyServerCert on? With this feature turned off, apache will securely authenticate to any AD server that answers. I've also noticed that whenever I turn on LDAPVerifyServerCert, I always get bad certificate errors even though I'm using the same certificate with nss_ldap without issue. I haven't come across anything terribly informative about this issue, is it just something that is too trivial to go into?

Re: Thoughts on an AppSec Program (Pt. 4) – Metrics and defining success

wadew — Mon, 04 Jan 2010 21:10:14 -0000

Thanks Ed. I appreciate the feedback!

Re: Thoughts on an AppSec Program (Pt. 4) – Metrics and defining success

edsmiley — Mon, 04 Jan 2010 19:49:11 -0000

I am thoroughly enjoying this series and the entire blog. Keep up the good work!

Re: Big Changes on the Horizon

wadew — Sun, 27 Dec 2009 09:43:40 -0000

Thanks!

Re: Big Changes on the Horizon

usr_local — Fri, 25 Dec 2009 07:16:02 -0000

Congratulations and Good luck friend! May the source be with you.

Re: Risk acceptance – does it really matter?

Ben T. — Fri, 11 Dec 2009 10:16:56 -0000

I was in a meeting a couple days ago when the "person in charge" uttered that "ok, we'll just accept that risk" phrase... I immediately thought of your post here since no real assessment had been done to fully quantify the "risk"... :)

Re: Risk acceptance – does it really matter?

Gracie — Thu, 10 Dec 2009 08:14:06 -0000

Oh, ok. :) Thanks Wade! :)

Re: Risk acceptance – does it really matter?

wadew — Thu, 10 Dec 2009 07:29:43 -0000

I wasn't really considering low risk vulnerabilities. Theoretically, if the vulnerability can lead to a serious hack, it wouldn't be through a low risk issue.

Re: Risk acceptance – does it really matter?

Gracie — Thu, 10 Dec 2009 07:22:19 -0000

but what if you know the risk is Low and feel like you are giving a valuable response as a security officer that you recommend they accept the risk?

Re: Risk acceptance – does it really matter?

wadew — Wed, 09 Dec 2009 08:53:30 -0000

I assumed that the risk accepted by the executive/official was as a result of a finding from an assessment. As in, "yes, we acknowledge that there's a security hole, but we're willing to accept the risk".

Re: Risk acceptance – does it really matter?

CG — Wed, 09 Dec 2009 08:46:35 -0000

nothing happens when they get owned if they are blatantly at fault, why would something happen if they actually did a risk assessment...

Re: Why use development standards?

wadew — Fri, 20 Nov 2009 07:04:55 -0000

Thanks Nkosinathi!

Re: Why use development standards?

Nkosinathi Thwala — Fri, 20 Nov 2009 00:56:36 -0000

Good read, enjoyed your post and found it interesting

Re: My thoughts on AppSecDC 2009 and why you should “OWASP”

wadew — Wed, 18 Nov 2009 13:22:54 -0000

Thanks Michael. It was a great event. I hope we get to host in DC again soon!

Re: My thoughts on AppSecDC 2009 and why you should “OWASP”

Michael Coates — Wed, 18 Nov 2009 13:06:42 -0000

Touché. Excellent event!

Re: My thoughts on AppSecDC 2009 and why you should “OWASP”

wadew — Wed, 18 Nov 2009 12:34:56 -0000

Thanks. Google Reader FTW!

Re: My thoughts on AppSecDC 2009 and why you should “OWASP”

Grecs — Wed, 18 Nov 2009 12:19:53 -0000

Nice summary. Thanks for pulling together all those other blog posts too. Hadn't come across all of them. Go red shirt people!

Re: mod_auth_kerb and mod_authnz_ldap bring Apache web apps into the Enterprise

wadew — Sat, 22 Aug 2009 11:10:42 -0000

Thanks Martin. Yes, I was grateful for the addition of this feature! Thanks for your feedback!

Re: mod_auth_kerb and mod_authnz_ldap bring Apache web apps into the Enterprise

Martin — Thu, 20 Aug 2009 10:10:54 -0000

Nice Blog!

But your Patch isn't needed anymore:

KrbLocalUserMapping on

which strips the realm also for users authenticated with their ads kerberos ticket.

Re: Security Questions don’t work!

DrInfoSec — Fri, 30 Jan 2009 22:48:48 -0000

Yes! Given the level of activity in malware and social engineering, we need better solutions than the "cognitive passwords" that banks and online stores have been peddling.

Re: mod_auth_kerb and mod_authnz_ldap bring Apache web apps into the Enterprise

Lesley — Thu, 29 Jan 2009 12:13:27 -0000

Very good points. Its way too easy to find anything anymore, and even I, as a security novice, don't feel like anything I do is safe on the internet.

Re: Reader Opinion: Degrees and Colleges

_k — Wed, 28 Jan 2009 13:04:55 -0000

1. A degree is less important than strong relationships with the people one is working with/hopes to work with. However, success will come *in spite of* not having a degree. In today's job market, having an undergrad degree is the neutral state. Not having a degree is a handicap, but not an insurmountable obstacle. It is possible to have a long rewarding career with no degree; we all know of people who have done this.

Consulting firms catering to federal contracts generally cannot be as flexible on this as private industry, because the contracts generally have a minimum level of degrees necessary.

2. I think if you are spending your own money on them, they are a waste of funds. They are not much less expensive than an in-state education, and the level of instruction is frequently terrible. I know several people who have worked at or gone to umuc, and haven't heard a single good thing about it. Even when, as umd employees, they were going for free.

Also, keep in mind that it is not a boolean question of degree or no degree. Much like a degreed state is neutral, having a degree from a traditional 4-year institution is neutral. Having a degree from a degree mill can be a negative handicap. (Having a degree from an Ivy League school is a boon.)

A degree mill is neutral in places where where they just need to check the degree box, but if people you do not know well are grilling you, they will be using *what* you got your degree in and *where* you got it as a metric to judge you; against themselves, and against other candidates.

Unless your employer is footing the bill while you maintain a solid employment history, an online school is going to raise more questions than it answers.

3. I had made my mind up to go back to school before I was laid off from $BORG. It has been difficult and has eaten into my savings considerably, going to school full-time and working part-time. (I dropped out as a freshman.) I feel a good deal of frustration at not being able to "test out" by waving my 15 years of experience around, but even the somewhat average education I am presently receiving is light-years better than what I would get across the campus. And as it happened, by taking classes here, I transitioned into a major that I find far more interesting than the work I've done before. I grumble, but I don't regret the process.