During some interesting discussions on Twitter yesterday I found that there is now more than ever a confusion about JavaScript dependence in web applications and web sites. This is a never ending story but it seems to me to flare up ever time our browsing technology leaps forward. I encountered this for the first time back in the days of DHTML. We pushed browsers to their limits with our lovely animated menus and 3D logos (something we of course learned not to do again, right?) and we were grumpy when people told us that there are environments out there where JavaScript isn’t available....

Recently, the China's largest Chinese IT community website named CSDN leaked its user's account information. Later today CSDN made an announcements to its users on their website. The announcement said that some user account information was leaked and the passwords of the accounts were stored as plain text in their database before 2009, and after 2009, they adopted an encryption algorithm to encrypt user password. They urged all users who registered the account before 2009 to change their password immediately. After reading this news, I was shocked. How come an IT website stores passwords in pl...

A new study examining 365 million lines of code in 745 applications identifies bad coding practices that affect security, performance and uptime, with Java Enterprise Edition applications having the greatest number of problems. Cast Software, which makes tools that automate the analysis of business applications, examined programs written in Java-EE, .NET, ABAP, C, C++, Cobol, Oracle Forms, and Visual Basic, used across a wide range of industries from energy and financial services to IT consulting, insurance, government, retail, telecom, and more. Java-EE applications were the most prevalent in...

It seems like web app security has entered the public conscious recently, probably as a result of the press covering the activities of groups like Anonymous and incidents like security breaches at several CAs. Here are a couple of quick security tips to improve the security of your web apps. Think of these as low-hanging fruit, not as a substitute for thorough analysis of your app’s security. If there’s interest in this topic we can do more posts, too - let us know in the comments!Prologue: SSLYour app already forces all traffic over SSL, right? If it doesn’t, it should. T...

I'm so tired of passwords. So, so, so tired.Most people don't understand this. Most people use the same password everywhere. Most people can just mechanically type out password3 in every password box, smirking to themselves at how clever they are, because who would ever guess 3 instead of 1?I don't do that. Let me tell you what i do.I generate a different password for every service, based on a convoluted master password and the name of the thing. I do this because it's what you're supposed to do; it's what security nerds (including myself for the purposes of this post) tell everyone e...

The biggest problem is that you must be able to verify that you're encrypting to the correct key. Without it, encryption would be practically useless, as anyone could perform a man-in-the-middle attack on the connection and remain undetected.In typical SSL/TLS, as well as other protocols using X.509, this verification is performed by "certification authorities", which are explicitly marked as "trusted" by web browsers and operating systems. Unfortunately, these CAs usually charge a decent amount of money even for the simplest, automatedchecks. They also get hacked...

As developers and designers we work hard to build visually attractive, fast and easy to maintain applications. Our goals are to make sure the applications we build stick to users and keep them coming back for more. Security is not always at the forefront of our minds. No one intentionally builds insecure software but often a lack of security knowledge leads developers to build vulnerabilities into their applications. In this article we are going to examine two web security attacks, how they are executed and how to defend against them. By the end of this article you will have a few techniques i...

1. IntroductionWriting PHP applications is pretty easy. Most people grasp the syntax rather quickly and will within short time be able to produce a script that works using tutorials, references, books, and help forum forums like the one we have here at PHP Freaks. The problem is that most people forget one of the most important aspects that one must consider when writing PHP applications. Many beginners forget the security aspect of PHP. Generally, your users are nice people, they will do as they are told and you will have no problem with these people whatsoever. However, some people...