PHP cryptography - proceed with care

A couple of case studies from PHP world demonstrating how important it is that application framework authors provide carefully designed cryptography interface to programmes. Otherwise it's almost certaint that will be implemented incorrectly.

Web.config rules for Yasca

Combined rules from two open-source tools for static application security testing — WCSA and Yasca.

Michał Tabor: Komentarz do analizy


Michał Tabor udostępnił mi swoje komentarze do opublikowanej wcześniej Analizy stanu przygotowań dotyczących wprowadzenia nowych dowodów osobistych.

Python XML RPC over HTTP proxy


The XML-RPC over HTTP proxy given in Python documentation doesn't really work, so I've written a fixed XML-RPC transport for xmlrpclib that seems to work.

Python module for flexible SSL HTTP server handling


This module allows flexible SSL certificate from a server. Unlike standard ssl module in Python, this function handles HTTP proxy and invalid certificates.

European personal data regexp patterns

I've spent some time browsing through publicly available sources to find out what are various identification numbers across Europe, especially those that can be treated as "personal data". The numbers listed below include national identification, tax, health, social security and bank codes that I was able to identify.

Testing X-Content-Security-Policy

If you wondered how X-Content-Security-Policy works in real life here's an example.

Trusted timestamping example in Python


Here's a simple example on how to request a trusted timestamping service from a certificate authority using TSP (Time-Stamp Protocol). It's really simple if the server allows you to use standard HTTP interface instead of full TSP interface.

ISACA już oficjalnie w Katowicach


Oddział ISACA w Katowicach został już oficjalnie wpisany na listę międzynarodowych chapterów tej organizacji.

Building a cost-benefit model for application security testing

Is it possible to speak about application security testing in economic terms? My intuition and practice suggested that it's not only possible but necessary for security testing to really make sense.

Practical security of RSA keys over Internet

A very important research paper has been just published on eprint — wide analysis of practical security of RSA keys found in the wild. It shows that implementation or usage issues resulting in weak keys are much more widespread than previously expected.

OWASP Kraków - 18 Jan 2012


OWASP Poland meeting in Krakow on18 Jan 2012, time 18:0020:00, location Technology Park (Czyżyny) (Al. Jana Pawła II 41 L), Krakow, Poland. More information as usual at

Decision trees and expected value of perfect information (EVPI) calculations with MS Excel

Here is a collection of Excel spreadsheets I have been using while studying decision trees and value of information concepts.

OWASP Warsaw - 15 December


OWASP Poland meeting in Warsaw on15 Dec 2011, time 18:0020:00, location Ernst & Young, Rondo ONZ 1, Warszawa, Room: 14-40 (floor 14). More information as usual at

Syndicate content