Home » Tag Archives: Security (page 7)

Tag Archives: Security

10 things you can do to make your app secure: #3 Validate Input

This is part #3 of a series of posts on the OWASP Top 10 Proactive Development Controls. Your first line of defence against attacks should always be to check all data from untrusted sources. Input validation is fundamental to application security, and a basic part of good defensive programming. This is simple, and obvious – and often done wrong.   ...

Read More »

10 things you can do to make your app secure: #2 Encoding Data

This is part #2 of a series on the OWASP Top 10 Proactive Controls, the 10 things you can do as a developer to make your application secure. In the previous post, I explained why Parameterized Database Queries are so important in protecting applications from SQL injection, one of the most common and dangerous attacks. SQL injection is only one ...

Read More »

SQL Developer’s “Securely” Encrypted Passwords

Recently, while at one of our customers’ site, the customer and I needed to get access to a database. On my machine, I had stored the password, but the customer obviously didn’t want to rely on my machine, and the password itself is hashed, so we couldn’t guess it. But guess what? Yes we can! I googled a bit, and ...

Read More »

SSL encrypted EJB calls with JBoss AS 7

java-interview-questions-answers

Encrypting the communication between client and server provides improved security and privacy protection for your system. This can be an important requirement by the customer, especially if client or server need to work in an unprotected network. This article shows you how to setup SSL encrypted EJB calls in JBoss AS 7. Server There are only two things that need ...

Read More »

Easter Hack: Even More Critical Bugs in SSL/TLS Implementations

It’s been some time since my last blog post – time for writing is rare. But today, I’m very happy that Oracle released the brand new April Critical Patch Update, fixing 37 vulnerabilities in our beloved Java (seriously, no kidding – Java is simply a great language!). With that being said, all vulnerabilities reported by my colleagues (credits go to Juraj Somorovsky, Sebastian ...

Read More »

Application Security – Can you Rely on the Honeymoon Effect?

I learned about some interesting research from Dave Mortman at this year’s RSA conference in San Francisco which supports the Devops and Agile arguments that continuous, incremental, iterative changes can be made safely: a study by by the MIT Lincoln lab (Milk or Wine: Does Software Security Improve with Age?) and The Honeymoon Effect, by Sandy Clark at the University ...

Read More »

Verifying Secure Password Storage Externally

Many websites (including big ones like Adobe, Yahoo, LinkedIn, Gawker, etc.) store user passwords insecurely. Either in plain text, or encrypted (reversible), or using a broken or brute-forceable hash function. Many websites continue to be built with poor password storage mechanism. So what? Well, if the database leaks somehow (and it obviously happens, see the link above), then users are ...

Read More »

Apache Tomcat and Denial-of-service vulnerability

Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk. Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers ...

Read More »