Let’s face it. There are a lot of broken web apps and software out there. These web apps and software can oftentimes lead to major security holes being opened up due to their vulnerabilities. You don’t want to be the guy/girl responsible for the next major security breach just because you forgot to sanitize some input, or check that your sessions were secure.

I would love to provide you a great tutorial on how to avoid many of the hardships that developers face, especially in security these days, but I don’t think I could do it better than the people over at the OWASP WebGoat project. It’s a web application that purposefully has many vulnerabilities right out in the open. The site is laid out with exercises for you to complete. It will offer hints, and even a full solution for when you get stuck. It even tracks your progress through a report-card like page showing how many times you’ve attempted an exercise, how many times you got help, and whether it was completed or not. You can grab WebGoat from OWASP.org directly and install it on your own tomcat server, or grab it in a fully enclosed environment through Dojo or OWASP Broken Web App VM. Either way you choose, I’d highly recommend either one. The VM’s provide much more on top of WebGoat but I feel the way the site is laid out and structured, it provides a very good tutorial-based approach to learning what not to do or at least learn what to avoid in your own applications.

Today, in advance of the 2010 RSA Conference, I had the benefit of attending the 10th CSO Council Bay Area Round Table: The Last Mile: The End of Paper. It has been an interesting exercise with a mock trial (moderated by two Judges) involving three wills signed with three different technologies: ink signature, closed system electronic signature, and digital signature.

You would think this would be an easily decided scenario; the digital signature is a superior and more trustworthy technology, right?  Well, not when you change the rules a bit. Basically they made the strength of process the inverse of the strength of the technology.  Here are the key points from today’s trial, and I’d like your suggestions on which one you’d pick.

• Will 1: Ink Signature: happened a long time ago, seems to be in order but there are no surviving attesters to the signature. Gives the entire estate to his wife, and if she predeceases him, his son.  As of today, the wife did predecease him, and his son has become estranged, will #2 being part of the reason.
• Will 2: Electronic Signature: signature is just a hash of the user name and the document being signed.  Gives 1/2 the estate to Stanford University, and the other 1/2 to his son.  The signature was not attested to by any other individuals.  There are no security controls over the log files and no way to prevent modification. However, everything seems to be in order with the signature.
• Will 3: Digital Signature: signature uses the internal PKI of a legal firm which stores private keys on USB memory sticks (not cryptographic devices). A paralegal of the firm who helped create the PKI process is the sole beneficiary.  The signature was counter-signed by two other individuals.  The paralegal (“Bubbles”) administers the PKI system and theoretically could have recreated signatures or digital IDs.

So, if you had to vote for one of these as a juror, which one would you choose?  Personally? I think all 3 are terrible and I fear the entire estate may need to go to probate.  Let us know what you would choose as a juror in the comments.