Vivek’s Soapbox

19.3.2006 / Links / Comments (0)

Can you patent thoughts? (by Michael Crichton)

6.2.2006 / Links / Comments (0)

Story Writer — my brother’s blog.

Blogging in ink… NOT

22.1.2006 / Links, TabletPC / Comments (1)

Why NOT to blog in ink I enjoy my Tablet PC just as much as the next Tablet fan, but blogging completely in ink is taking it a bit far. No offence, Sumocat, the idea is cute, but has a number of flaws:

No Googlejuice! Search engines can’t index ink (yet). How do you expect to get traffic going to your site if it doesn’t get crawled and indexed? About the only traffic you will get is from referrers and people that remember your URL.
No hypertext! Unless you painfully make imagemaps, the ink posts don’t have links. They’re just a blob of text/ink all by themselves, which just seems incongruous on the Web.
Slower reading. It’s much harder to scan and speed-read ink, compared to regular text.

I much prefer blogging where ink enhances regular text in some way — say with a picture that has an ink annotation in it, or a quick doodle or cartoon.

28.12.2005 / Links / Comments (0)

How to get a human on the line. This cheat sheet is awesome and it delivers. The question is — why should we even need it?

28.12.2005 / Links / Comments (0)

A textbook on software engineering for the web, by Phil Greenspun

27.12.2005 / Links / Comments (0)

Programming in the trenches in Wall Street.

22.12.2005 / Links / Comments (0)

Startup news.

22.12.2005 / Links / Comments (0)

Startup school presentations.

22.12.2005 / Conferences, Links, Security / Comments (0)

Emerging Trends in Information and Computer Security - Jan 22, 2006.

22.12.2005 / Links / Comments (0)

Everyone should think like a computer scientist.

Research on Web Application Security

21.12.2005 / Links, Programming Languages, Security / Comments (5)

This is my list of research in web application security. It is
incomplete and ever-growing.. Send me mail if you think
something should be added here.

Web Application Security Research
Paper	Authors	Language/platform	Links
Finding Security Vulnerabilities in Java Applications with Static Analysis, USENIX Security 2005.	Benjamin Livshits and Monica S. Lam	Java Virtual Machine
Finding Application Errors and Security Flaws Using PQL: a Program Query Language, OOPSLA 2005.	Michael Martin, Benjamin Livshits, and Monica S. Lam	Java Virtual Machine
WebSSARI — Web application Security via Static Analysis and Runtime Inspection	Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo	PHP	WWW ‘04 paper
AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, ASE 2005.	W. Halfond and A. Orso	Java Virtual Machine
The Essence of Command Injection Attacks in Web Applications, POPL 2006.	Zhendong Su and Gary Wassermann	Language agnostic, but evaluated with JSP and PHP.
Static analysis of role-based access control in J2EE applications, TAVWEB 2004	Gleb Naumovich and Paolina Centonze	Java Virtual Machine
Automatically Hardening Web Applications using Precise Tainting.	Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Green, Jeffrey Shirley, David Evans.	PHP
How safe is it out there?	Moran Surf and Amichai Shulman.		Study of web app security
OWASP Top Ten Vulnerabilities in Web Applications	Open Web Application Security Project
Java String Analyzer	Aske Simon Christensen, Anders Mller and Michael I. Schwartzbach		SAS’03 paper
Static Detection of Security Vulnerabilities in Scripting Languages	Yichen Xie and Alex Aiken	PHP
A Learning-Based Approach to the Detection of SQL Attacks	F. Valeur, D. Mutz, and G. Vigna.	Languge-agnostic — works at DB level.	In Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005.
Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks	W. Robertson, G. Vigna, C. Kruegel, R. Kemmerer.	Languge-agnostic — works at DB level.	In the Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS)
Defending against Injection Attacks through Context-Sensitive String Evaluation	Tadeusz Pietraszek, Chris Vanden Berghe	At the VM level (PHP and JVM)	Project webpage
Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software.	James Newsome and Dawn Song.	x86 ISA	In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS ’05), February 2005.
Taint Propagation for Java, ACSAC 2005.	Vivek Haldar, Deepak Chandra and Michael Franz	Java Virtual Machine	Slides of talk