<? DriftLogic ¿>

Noticed this on Reddit this morning. Google has open sourced one of their internal security testing tools called RatProxy.

Apparently it's a passive vulnerability scanner all done up as a proxy style interaction for sites. I haven't played with it yet, but I'm not aware of many other passive scanners, so this warrented a mention. Mainly so that I remember to play with it later myself.

Recently, I participated in a meeting with management and developers from another organization which, in many ways, is a direct competitor for part of our web offering. We reached the point where the discussion came down to the nuts and bolts of how things are done and at one point, the lead developer made the claim that their system had never had a break in.

The thought of making a claim like this has crossed my mind once or twice. As far as I can see, none of my servers or my code has been broken into. I've never had to deal with recovering from a malicious attack, or hear from angry users who have had their credit information exposed to the public.

As far as I know...