Wednesday, March 25, 2009

OWASP Podcast #14 - Pravir Chandra and OpenSAMM

Pravir Chandra talks about the OWASP OpenSAMM project and software maturity models in general. Pravir has been deep in this space for some time and even provides us with the inside scoop as to how OpenSAMM relates to BSIMM!

To listen to OWASP Podcast #14 you can, download the mp3 file directly , subscribe to the RSS feed or subscribe directly through iTunes!

Wednesday, March 18, 2009

OWASP Podcast #13 - Newscast for March 09

OWASP Podcast #13 - the OWASP newscast for Match 2009 - is now live!

OWASP Podcast #13 features Andre Gironda, Jeff Williams and Arshan Dabirsiagh. The show is hosted by me, Jim Manico. Andre did all of the extensive copy editor work.

To listen to OWASP Podcast #13 you can, download the mp3 file directly, subscribe to the RSS feed, subscribe directly to iTunes, or listen right now!

We cover a very wide array of web app sec news topics. I hope you enjoy the show!



Wednesday, March 11, 2009

OWASP Podcast #12 - Interview with Ryan C. Barnett

Ryan Barnett talks about the OWASP ModSecurity core ruleset project and WAF technology in general. Ryan has such incredible experience in this space - this one is definately a "must listen" for anyone who deals with web application security operations.

To listen to OWASP Podcast #11 you can, download the mp3 file directly , subscribe to the RSS feed or subscribe directly through iTunes!

Monday, March 2, 2009

HTTPOnly Supported in Tomcat 6.0.19+

Jeff caught it first, but the upcoming release of Tomcat 6.0.19 will include HTTPOnly session cookie support!

This upcoming feature will be disabled by default and you will need to use the following setting to enable it.

<Context><Manager useHttpOnly="true" /></Context>

I first blogged about this topic back in March 27, 2008 and submitted a patch to Apache a few days later on March 30, 2008. It's great to know that this functionality will really exist in Tomcat 6.0.19 - which is the current "trunk" as of the posting - and be released - when it's released. =)

To quote someone from the Apache crowd: "If you're interested in getting the next release out more quickly, perhaps you could volunteer to fix some bugs? " =)