Accounting for Security in Website Projects

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design / development shop called CubicTwo in early 2010.

The scale of the projects and programs I was involved in ranged from $50,000 to over $6,000,000 (multiple at any given time) and varied in complexity (these weren’t simple websites, they were enterprise level systems). While different in size and scale, they did hold similarities to what most website projects today look like, just at a very different level. I fortunately had the luxury that my stakeholders didn’t require any education on the importance of security, being they were municipalities or government entities, the security discussion was a lot easier.

This however is not the case for everyday website projects, and worth taking some time to discuss.
[Continue reading]

What’s wrong with your pa$$w0rd? – Lorrie Faith Cranor

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie is doing on the subject very interesting and insightful. … [Continue reading]

Importance of Updates in Website Security – WordPress, Joomla, Drupal and CMS’s

TonyonSecurity - Security Components

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important. My previous statements are … [Continue reading]

The Dilemma that is WordPress Security

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions … [Continue reading]

Explaining XSS and CSRF By Google

Came across this video earlier today and found it very informative - explaining the difference between XSS and CSRF (XSRF). I find that most people rarely understand or differentiate between the two so hopefully this video helps. It's laid out in a … [Continue reading]

Secure Your Traffic on Public WiFi’s


Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the … [Continue reading]

Sucuri Is Hiring!!

Please pass this on to your contacts, my company, Sucuri, is actively hiring. If you think you'd make a good fit please let us know. … [Continue reading]

WordPress Security – Learning From Hacks

This evening I will be giving a presentation at WordSesh at midnight PST (0800 UTC). Here is the presentation I plan to give. When the video is published I will share it as well. This goal of this presentation is to learn from hacks as … [Continue reading]

Forensics – Analyzing a WordPress Attack / Hack

Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker. I write and detail the forensics of the attack in my latest post, Case Study: Analyzing a … [Continue reading]

Analysis of Top 1 Million Domains

Over at Sucuri, our researchers have been having fun downloading the internet, in the process they found some interesting data. Enjoy. Also be sure to check out the blog post on the subject. … [Continue reading]