Will OpenSSL bring back the software quality guarantees debate?

Back in 2009 the European Commission raised a controversial proposal to grant consumer rights to software users, much like those applying to cars or other "physical" goods.With recent Heartbleed failure of OpenSSL it's likely that these populist proposals will appear again. Why wasn't that good idea?

Why Heartbleed is dangerous? Exploiting CVE-2014-0160

8 April 2014 is a busy day for sysadmins. Everyone is patching CVE-2014-0160 and I can actually see this in realtime — servers that were vulnerable in the morning, no longer expose their data in the afternoon. This is not really frequent that a vulnerability is treated so seriously, but in this case it's fully justified.

Electronic identification and trust services for electronic transactions in the internal market

New electronic signature directive named "Electronic identification and trust services for electronic transactions in the internal market" (eIDAS) has been now voted in favour at the European Parliament.

Public key pins, a new safeguard for HTTPS websites

Public-Key-Pins will be the new HTTP header to inform user browsers what X.509 certificates are identifying the websites and prevent various forms of man-in-the-middle attacks on SSL.

Using ESAPI with Play Framework

Does Play Framework need ESAPI at all? It is pretty robust as it comes to automatic escaping of potential cross-site scripting vectors but if you don't use Play templates to display data (but an AJAX API instead) you'll need to do this separately. Play also offers a quite good validation framework but you still need to actually implement the validation functions for some types of content — and here's where OWASP ESAPI comes handy.

Security-related HTTP headers in the wild

As Veracode published their analysis of security headers on top 1m websites, I realized that I can actually compare their results with mine.

Content Security Policy as malware detector

Content Security Policy not only protects websites that use it, but also to some extent helps in detecting malware and adware programs installed on client computers.

EU agreement on new electronic identification and trust services regulation (eIDAS)

European Union has just announced a "political agreement" between Member States on new regulation related to electronic identification and trust services called eIDAS, that is going to upgrade the old electronic signature directive 1999/93/EC.

Saving on telephone bills with VoIP

I've been using VoIP (voice over IP) telephony since 2004 and recent move to a new flat made me rebuild the whole configuration and was a good opportunity to review it and see how much I could have earned with VoIP?

Session variables encryption in Play framework

Main motivation for this work was to counter security issues caused by Play implementation of session variables. Session variable is a store that allows a web application to set variables related to a particular user's session. In the traditional Java HttpServlet a session variable can be set using setAttribute() and getAttribute().

JSON has digital signature and encryption too

If you have ever been through web services security, you probably already know that XML encryption and digital signature are nightmare from interoperability and readability point of view. Here's an interesting competition growing just now — Javascript Object Signing and Encryption (jose).

SYNTAX Application Security Annual Report

A Greek company SYNTAX has just published a report on security vulnerabilities prevalence in web applications.

Introducing Django Security

Django-Security is currently the most advanced and mature security package for Django framework. It's been usable for a while, but thanks to hard work of the SDelements team to which I have also contributed a bit I can now recommend it for production use.

Web services security testing

As service-oriented architecture (SOA) is getting popularity, there's growing interest in security testing of these services, but the tools available aren't as advanced as those for "standard" web applications.

Microsoft will get rid of SHA1 in Windows by 2017

Microsoft has just published their SHA1 deprecation policy, according to which Windows will stop accepting SHA1 signed ceritficates in SSL by 2017.

Syndicate content