I caught the last half of the new System Crash show on the Smithsonian Channel last night. This particular show was called "Break and Enter" and is about cyber-security, hacking, and threats to online privacy.

From the show description

Take a disturbing trip to the dark side of the Internet, where cyber crooks pose a constant threat to our finances, privacy, even our national security. Discover how hackers can attack major corporations and bring entire countries to a standstill, and what, if anything, we can do to stop them.

[More]

I hope everyone is aware of the cf.Objective() conference that takes place in Minneapolis/St. Paul every year. In case you are not, you should know that it is an absolutely AMAZING event.

cf.Objective() is touted as "The World's Only Enterprise Engineering Conference for ColdFusion Developers". I have been to two cf.Objective() conferences so far, and this year will be my third. I am very excited about it.

Two years ago, there was a two-day pre-conference training session held on the Mach-II framework. It was a very successful training (I believe they sold out every seat), but beyond that, it was a fantastic training. I attended it, and I loved it. I learned a lot. Last year they had ColdBox training prior to the conference. I did not attend that one, but I hear it was also great.

This year, the organizers of cf.Objective() are trying the pre-conference training again, but with more training sessions. This year there will be six!

[More]

The first time I looked at the OWASP Top Ten web vulnerabilities, they all made sense to me, save for one. That one was A4 - Insecure Direct Object Reference. At the time I was still pretty new to object-oriented programming and so the first thing I thought was that it was referring to those kinds of objects.

But that is not what they are talking about. The are talking about any direct reference to an "implementation object". Meaning objects like files, folders, database records, or other types of "keys".

[More]

I received word last week that two of the topic proposals I submitted to the cf.Objective() planning committee were accepted. I am very excited and honored by this. It's nice to know that people think what I have to say is worth while.

You may have guessed that I will be talking about security, since that seems to be what I enjoy talking about most. But this year will be a little different.

[More]

I just closed the comments of my last post announcing the release of the new Fusion Authority Quarterly Update. Now it is time to announce the winners. But first.

[More]

NOTE: I have closed the comments on this post. The contest is over. I will post the winners soon.

It seems like not many people are talking about the new Fusion Authority Quarterly Update. It has been out for about 3 weeks, I think, and it seems that there is very little buzz about it. So I thought I would generate some.

This is a little self-serving, as I have two articles in the newest version, but I don't mind :) My two articles are in a new "Let's Talk Security" column. They are "Application Security Primer" and "SQL Injection: A Persistent Threat". I was very excited to be asked to start writing for FAQU and I hope to be able to contribute more.

In addition to my two articles, there is some amazing content from authors like Todd Sharp, Ray Camden, Terry Ryan, Mark Kruger, Mike Brunt, Mike Henke, Charlie Arehart, S. Isaac Dealey, Pete Ruckelshaus, Adrian J. Moreno and Mark Phillips. And I am especially looking forward to reading Dave Konopka's "SOA for the rest of us"

To help bring attention to the new Quarterly Update and to generate some buzz, I am going to have a little giveaway. I like to do giveaways once in a while. It is fun. Judith and Michael at House of Fusion have graciously offered two 1-year subscriptions of the Fusion Authority Quarterly Update for me to giveaway.

So on Friday of this week (only three days from now) I am going to give away two 1-year subscriptions to the Fusion Authority Quarterly Update.

[More]

As some of you know, I have decided to return to school to pursue a graduate degree. I am excited about beginning this new adventure in life and I wanted to tell you a little about it, and about how it came to be.

I am not sure if all of my readers are aware of this, but I am a veteran of the United State Coast Guard. The United States Coast Guard is a branch of the U.S. Armed Forces that works under the Department of Homeland Security. I served for four years in Houston, TX and was honorably discharged in June of 2006 after fulfilling my commitment. During my four years, I earned two Coast Guard Achievement Medals for my service (both computer/programming related), qualified on the 9mm pistol (sharpshooter) and the M-16 rifle, received an amazing letter of recommendation from my commanding officer, and completed a Bachelor of Science degree in Information Technology Management while attending school online.

So that long-winded horn-tooting was really about pointing out that I finished my B.S. while serving.

[More]

I have said on several occasions that catering to users who insist on disabling cookies is a bad idea. I have blogged a couple times on the reasons.

So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple.

[More]

Bleh. I have been sick for the last week and have spent a lot of time away from the keyboard and from blogging. But I was able to give both of my presentations at the MN Government IT Symposium last week and they both wen toff excellently. I got a lot of good feedback for both. Even my application security presentation, which was the last session on the last day managed to draw 20 attendees, which, I understand, is pretty good.

Anyway, here are my presentations in their original formats and in PDF format.

[More]

Last year I spoke at the Minnesota Government IT Symposium on application security, and I thought it went really well. I ended up with 75 or so attendees (for a 2.5 hour presentation), which I thought was fantastic.

This year I have been honored with being selected to speak again on application security (this time for only one hour) and also on Adobe AIR.

[More]