So, the kids are out of school and it’s time to start putting together the list of companies that I’ll be consulting for this summer. With a full time job, I have to be careful to only choose companies that allow testing after business hours, remote work, etc. If the trend continues (from last summer), network pen-tests and straight application pen-tests (blackbox) will be eclipsed by a more ‘hybrid’ approach (application pen-testing with access to the source). Of course, the big ‘hitter’ will be .NET applications. Java will be a remote (remote, remote) second. If there is a 3rd place finisher, I’ve yet to see them (PHP, RoR?). As usual, I’m most interested in finding (or creating) automation that does 80% of the work for me. As I mentioned in a previous post, the tools which do this sort of auditing seem to be catching up with the demand.

Speaking of tools … Ounce Labs is holding a two-day training course for source code auditors. The second day of training includes auditing open source projects and finding 0-dayz. How cool is that?!? OWASP is also investing time (and money) on source code auditing. It was also very nice to see SWAAT (*WITH* source code!!!!!) donated to the OWASP project. The next year will, imo, be critical for source code auditing companies.

Peace,

!Dmitry

dmitry.chan@gmail.com