Dr. Ullrich examines the reasons why critical web application security flaws remain so common, even though most web developers are aware of them and do consider them in writing new applications. He sees 5 common mistakes: inconsistent input validation, not understanding the technology, not understanding the business, underestimating the threat, and underestimating the user.

There are two free, powerful and effective tools designed with the sole purpose of helping you secure your computer from software vulnerabilities. Microsoft's scanner does a good job of checking out your system, but it doesn't evaluate whether the third party software like Real Audio or Adobe Acrobat Reader are up to date - but Secunia does exactly that.

Amrit Williams, Chief Technology Officer at BigFix, was formerly a research director in the Information Security and Risk Research Practice at Gartner, Inc. He is certainly a security thought leader and if you have not been introduced to him before, we are sure you will find he has some interesting out of the box opinions.

Though it is certainly true that malware has evolved a lot in this decade, the tools in use today are more similar than different from the attacker tools of ten years ago. The command and control is better, they are better able to evade detection, but still they are very similar. Here we take a look at hybrid threats: in the early days of malware, it was fairly easy to classify malware as a virus, worm, or Trojan, but these days many attacks use features of each other.

Andrew Hay, one of the authors of the popular OSSEC Host-Based Intrusion Detection Guide and upcoming Nagios 3 Enterprise Network Monitoring book has agreed to be interviewed for the SANS Security Thought Leader series.

We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position.

Our story begins in 2002, with a post on Interesting People and an assertion that Comcast was spying on its users, then, in January 2007, while on their honeymoon in Maui a couple was checking their email from their hotel and noticed something odd...

The Security Laboratory is pleased to interview Dr. Gene Schultz, one of the most experienced security practitioners in the field.

Craig Wright certainly qualifies as a security hero! He has written articles and books on security and has nearly every SANS and GIAC certificate available (including platinum). He is a GIAC Technical Director, and jack-of-all-trades and master of a few.

Tomasz Kojm is the original author of ClamAV, an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Bill Johnson, CEO TDI, was the first person in the industry, that I am aware of, to sound the clarion call that we might be vulnerable to attacks via the Baseboard Management Controller (BMC). That certainly qualifies him as a security thought leader, and we thank him for his time.

With the Security Thought Leader project Stephen hopes to introduce you to some really great men and women. A security thought leader can be defined by certain criteria: a person who is recognized by their peers as a thought leader, who passes their information on to help others, who has innovative ideas, and who shares ideas as actionable distilled insights.

Peter Giannoulis certainly qualifies as a security hero! He has written articles for SC & Information Security Magazine, has been a real work horse for SANS and GIAC, and now, as you will see, he is working on his own signature approach to sharing security information. He is a truly busy guy, a contributor to the SANS Security Laboratory

Gene Kim is one of the original authors of Tripwire, a software product used to manage configurations and change. Gene is willing to share his thoughts on virtualization with the Security Laboratory thought leadership series, and we certainly thank him for his time!

Imperva and a few other vendors are starting to understand the importance of database security and release product, but Kevin Kenan, Managing Director, K2 Digital Defense picked up on this long ago.

Perhaps, one of the hottest topics in 2008 is log file analysis (who would have guessed). And while the commercial tools are getting a lot of the press, an open source and also commercial tool is ending up on a lot of systems. It is called Snare and Leigh Purdie is the thought leader behind the project. He has been willing to invest the time for a thought leadership interview with the Security Laboratory

This is a follow on to our discussion on how SANS new course, Security 560: Network Penetration Testing and Ethical Hacking, differs from other courses that, at first glance, appear to have the same objectives. This new course addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling. Perhaps you are convinced you need one or the other course because of your duties in incident handling or penetration testing - how do you make an effective business case for purchasing the training?

Sometimes on the discussion list for the GIAC Advisory Board (an honor reserved for students that score 90 or higher on their exams) it gets pretty lively. We thought you might be interested in this discussion since the subject will probably come up again and again and again.It all started with the observation: "What I noticed was GPEN and GCIH [GPEN and GCIH are the names for the GIAC certifications for two courses taught at SANS] have the same course content and syllabus. Then why do we have 2 different course names with the same content?"

I keep thinking about the news reports that Chinese hackers managed to exfiltrate six terabytes of sensitive data from a large number of systems belonging to the Department of Homeland Security in November 2007. It seems like that would be impossible to do without being detected. But, I have to wonder, since the famous Richard Stiennon paper, Intrusion Detection is Dead, organizations have been replacing IDS with IPS, and maybe, just maybe, they think the devices do their job in some kind of "fire and forget" mode. Sourcefire was kind enough to allow me to interview Snort creator and Sourcefire CEO Marty Roesch on this topic.

Several authors join Stephen Northcutt to examine the special considerations for separation of duties in all organizations with regard to their information technology.