Archive for the ‘best practice’ Category
Cross Site Scripting and SQL injection explained
OWASP has a full range of videos that give you a basic view of XSS and SQL injection:
SQL injection
Full table and column traversal and site take-over is almost an inevitable consequence of non-managed user input and system output (like error messages). This OWASP video gives you a quick introduction.
Cross Site Scripting (XSS)
Easy to exploit, easy to find, highly varied – script injection in Javascript, typically to attack other users and exploit them.
You can find out more in the AppSec Tutorial Series by OWASP
OWASP Top 10 Security Threats 2010
In case you don’t have them to hand:
Last updated on April 22, 2010, the OWASP Top 10 Web Application Security Risks for 2010 are:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management Read the rest of this entry »
Where to start with secure coding practices
Often, with coding projects that have developed organically, or with no specific security focus at the outset of the development. The question often arises where to start in securing the code one has.
The first step is to understand that there are issues to work through to retrofit security back into the code. Ideally, the code starts from a secure basis, but under some circumstances, the size or budget of the project does not allow for this.
So, how to proceed?
In terms of the code that we use to display, manage and filter user inputs before creating outputs, we know that there are a few challenges we need to mitigate in order to create a more secure data environment.
Some initial thoughts for discussion, below. Read the rest of this entry »