Daniel Szpisjak
Security for Software Engineers
Solid security knowledge among developers is scarce these days, simply because it is not as spectacular and sexy as a new framework or a cool new tech. Nevertheless, it is real and will not go away anytime soon. Your best bet is to start learning about it right now. It will make you more valuable to your team and your organization. Do not think of this as a massive upfront investment; it is not.
Daniel Szpisjak
Session management
Session management is an integral part of today’s web applications. You receive limited support from the HTTP protocol and have to handle most of this yourself. No wonder session management vulnerabilities consistently make it to the top 3 of the “OWASP Top 10” list. This post aims to introduce you to the model of session management. Disclaimer This post only covers the basics. The security of session management relies mostly on the IAAA (Identification, Authentication, Authorization, Auditing) model, which builds on session management.
Daniel Szpisjak
360 view of XSS from the trenches
When a software developer first gets exposed to web security, he will inevitably memorize his first acronym: XSS! It stands for “cross site scripting”, and it is one of the oldest vulnerabilities around. Its origins are way back in the 90’s when Javascript was the new kid on the block. XSS (back then it was CSS) was its evil little brother, and it still thrives on its sibling’s success. One may wonder “Why is it called cross site scripting?
Daniel Szpisjak
Cookies
Back in the 90s, someone wanted to store information on the clients, only it was not possible yet. Luckily the Netscape team quickly came to the rescue and implemented cookies. This was a very significant move which shaped the things to come. Cookies became the de-facto state in the statelessness of HTTP. Today they are essential and their security is critical. Here is what you need to know. The fundamentals Before getting into how cookies work let’s take a quick look at the basics.
Daniel Szpisjak
Same-origin policy
When your browser opens a web page, it enforces various security rules. The most important one is the same-origin policy. It defines access rules for dynamic scripts and is considered to be the cornerstone of the web security model. The concept is rather old, it is from 1995 when Netscape Navigator 2 owned the streets of the web. Chances are, you two have already met during your development career, so no need for introductions.
Daniel Szpisjak
Open your browser
Today we live the era of the web and your browser is an integral part of it. As a developer, it is essential to know how stuff works to some degree, and understand how you might affect this behavior to increase security. This post is an intro to that topic! Let’s start with a bit of context, shall we? First, let’s try to define what web browsers are! They are applications used to render data; data that is fetched from a remote location.