It seems like web app security has entered the public conscious recently, probably as a result of the press covering the activities of groups like Anonymous and incidents like security breaches at several CAs. Here are a couple of quick security tips to improve the security of your web apps. Think of these as low-hanging fruit, not as a substitute for thorough analysis of your app’s security. If there’s interest in this topic we can do more posts, too - let us know in the comments!Prologue: SSLYour app already forces all traffic over SSL, right? If it doesn’t, it should. T...

A new study examining 365 million lines of code in 745 applications identifies bad coding practices that affect security, performance and uptime, with Java Enterprise Edition applications having the greatest number of problems. Cast Software, which makes tools that automate the analysis of business applications, examined programs written in Java-EE, .NET, ABAP, C, C++, Cobol, Oracle Forms, and Visual Basic, used across a wide range of industries from energy and financial services to IT consulting, insurance, government, retail, telecom, and more. Java-EE applications were the most prevalent in...

Starting from Chrome 51, a new attribute SameSite has been introduced for browser cookie. This attribute is to prevent CSRF attack.Cookie is normally used to store data exchanged between client and server. It frequently stores user login information. If a malicious website can forge a HTTP request with the valid third party website cookie, it may be called a CSRF attack.For example, if a user logins to a bank website your-bank.com, the bank server responds a cookie:Set-Cookie:id=a3fWa;Later the user somehow visits malicious.com and there is a form on the website.<form action="your-bank...

The prevalence of free, open WiFi has made it rather easy for a WiFi eavesdropper to steal your identity cookie for the websites you visit while you're connected to that WiFi access point. This is something I talked about in Breaking the Web's Cookie Jar. It's difficult to fix without making major changes to the web's infrastructure.In the year since I wrote that, a number of major websites have "solved" the WiFi eavesdropping problem by either making encrypted HTTPS web traffic an account option or mandatory for all logged in users.For example, I just noticed that Twitter, transparently to me...

Shared hosting is incredibly popular with users who are looking for the cheapest hosting available – the problem is that along with the low price you get poor performance and even more concerning – questionable security.When running on a shared host dozens if not hundreds of other sites are running on the same servers – this means any single security flaw in any of those applications can compromise the entire server. This  dramatically increases the odds of your server being compromised.Because shared hosting is inherently in-secure Microsoft has built in fe...

Paranoia is not necessarily a bad thing - assuming someone is really out there to get you. True or not, the paranoid have had issues they need to control explode as the internet developed, they also got specific tools to make their secrets (or their life, not everybody has a dark secret) more secure and under control. Unfortunately to them, and to the amazement of science and science fiction fans worldwide, a new way of obtaining secrets has appeared and it’s something very few expected. The result of the combined brainpower of Adobe, Microsoft and MIT researchers is the visual microphon...

IntroductionIn today's digital world, passwords play a crucial role in protecting personal privacy and information security. Passwords are the most commonly used means of authentication because they are simple yet effective. Password security is the cornerstone of cybersecurity and plays a fundamental role in safeguarding the information security of individuals and organizations. However, with the increasing frequency and complexity of cyberattacks, traditional password hashing algorithms like MD5 and SHA series have proven to be inadequate against modern security threats. Therefore, using str...

Remember that feeling you got back when Steve Jobs was unveiling the iPhone, and he did the “slide to unlock” gesture for the first time? I remember the way he said it – “You like that? Want to see it again?”Since then I haven’t seen a lock screen interface that has made me feel that same “how obvious, how elegant!” feeling – until today at the NVIDIA press conference, and later at the Microsoft keynote here at CES. It sounds a little silly, sure, making such a big deal of such a small feature, but it’s just nice to see a genuinely na...