Yes: The Web App Hacker's Handbook is a better resource for building a checklist of app security concerns for your application, and remains the best resource on generic appsec.
EDIT: This is absolutely the book I was looking for the other day and didn't know existed, most of this stuff I'm familiar with but this looks like an excellent refresher.
I don't really work on application side of web: handed that part off to others while I did client-server plumbing and endpoints. Web is simply too much risk for high-assurance security.
Plus, a brain injury in an accident cost me most of my memory. I operate on fragments now while trying to reconnect stuff. I probably knew about the guide and forgot. Or I didn't but used something else. Usually remember a lot of INFOSEC stuff but this one is total blank. So, such resources are good for getting stuff back in my head.
Here's last list I put up when my memory was working better than ATM that detailed what kinds approaches I recommended or used (often in combination):
I know I used a SPECTRE clone in the past for at least one legacy app. Did high-assurance HTTP to prevent defacing. Did an application server on microkernel similar to Barracuda's nice architecture to keep TCB minimal. Outside SPECTRE, it's what we all did in high-assurance though: certain things everyone seems to build. The rest and all details are a blank. Sorry...
Sorry to hear about your brain injury. If it's any consolation, I had no idea because your comments are consistently insightful and worth the time to stop and read.
I appreciate the feedback and thank you. They said people are usually zombie-like in such a situation. I've seen it. It's quite the battle to maintain or deliver day-to-day functions much less top normal minds in insight.
Nonetheless, I've been fighting for civil liberties and privacy a long time. Plus trying to do bulletproof systems. Even with gaps & lacking specialist skill, I'm closer now than ever mapping & semi-synthesizing systems from high-level specs all the way to transistors with reliability, security, & recovery via dozens of techniques. Dedicated endpoint mostly solved, client server too, Web is if you cheat (I did proxies), P2P still open-ended, and much more to do in decentralized. Plus my activity here and elsewhere of evangelizing strong methods & making sure old wisdom doesn't get lost. Got motivation & keep active so remaining synapses get reinforcement.
So, a little brain injury and Memento-style moments ain't enough to totally knock me out of the game. Just gotta get it back piece by piece & be more mentally efficient than before. Wirth-style ultra-simplification & Dijkstra abstraction pays off there. Anyway, NSA gonna shit their pants when I go commercial again. Short-term rather than long-term goal hopefully. ;)
_WAHH_ and _Tangled_ were the two books we gave every candidate who applied to Matasano. We hired lots of people who had never heard of those books before. There seemed to be no correlation between previous conversance with the book and technical ability.
I wasn't saying there was. Or at least, that wasn't what I was trying to say.
I hadn't read that book until the middle of last year, and I didn't learn anything new from it because I taught myself all those concepts over the years. It was, nonetheless, a good read. So, I wouldn't make that claim to begin with.
I just thought nickpsecurity had seen your reading list before is all. I see you two commenting on the same threads all the time.
It was a good guess. I still have one or two of his bookmarked. I haven't been on HN or following his posts long, though. Then there's the memory angle. So, not this time.
