company-logo

Tag

Security

What's the best way to programmatically edit a pdf in ruby?

I’ve been doing a good deal of PDF generation in Rails, and had to go through the process of comparing all the available techniques and frameworks in order to find the right solution for my needs. Its great that there are so many tools out there, but it can be a daunting task to figure out which is best, which will scale, which will continue to grow and improve, and to evaluate the true ‘cost’ of fr
Read More

Web app security checklist (Braindump)

In Yesterday’s post I said I’d put together a quick list of things to think about around web application security. This is by no means an exhaustive list, but its a set of categories and things I start to look at when doing a security assessment on an app. Web Application Security Checklist Account management Password management (validation, expiration, previous passwords, etc) Account lockout (number of
Read More

Avoid the last minute security review

Photo Credit: Amagill under Creative Commons Attribution Security is hard Security is often an after thought, slated towards the end of a project, or after some big issue has been discovered, but the nature of security functionality, rules, roles, auditing, etc make it hard to layer in to an existing codebase effectively. Oh, and if the code base isn’t sufficiently tested, you’re in for a world of hurt. I
Read More

The Costs of Building Secure Applications

‘Achieving Balance’ by James Jordan Security is unlike other aspects of software in that it follows a steep value curve: either your system is secure, or it is not. Either it provides its full level of value, or it provides none at all. There is often a tendency to address security up front (even when other aspects of the system are built iteratively). What others sometimes fail to see is how this generat
Read More

Firefox Plugin Malware 'Trojan.PWS.ChromeInject.A'

You knew it had to happen. Malware for Firefox. It happens all the time with IE (so much so that my 17-year-old niece needs a fresh install of Windows every 3 months), but Firefox has been a little less prone — though not imune — to malware. See the BitDefender blog post and the Infoworld article which has a bit more detail. Now Firefox 3 does contain Malware protection, but apparently this plugin is deli
Read More

App Security: Throw Out the Org Chart!

“Only administrators can add users– no exceptions! …except Bob in accounting, but that’s because he’s covering for Sally. But only until February. And this sort of arrangement might happen again. But most of the time, it won’t. I mean.. ninety-nine point nine percent of the time. But there might be exceptions… “. Sound like a requirement you’ve heard before? How d
Read More

The Truth About Designing For Security

Security is an area of concern where value and cost are often difficult to estimate.  While big mistakes made early on in many areas of an application may prove difficult to correct, this is especially true for security, since its specifications often model a direct reflection of an organizational structure. And all too often, dysfunctional organizations create dysfunctional security requirements. It is common knowle
Read More

SMash – Something Useful from the OpenAjax Alliance?

In the announcement that the OpenAjax Alliance had released OpenAjax Hub 1.0, and would start to work toward 1.1, there was one thing that caught my interest: the news that 1.1 would support secure mashups. Given that proxies and JSONP...
Read More

Ajax security surprises: web-aggregators, offline applications and frameworks

I'm still absorbing the densely packed information from "Ajax Security," the first-rate book by Billy Hoffman and Bryan Sullivan that I recently recommended in these pages. Here, in no particular order, are three of the most surprising lessons imparted by...
Read More

Book recommendation: Ajax Security by Hoffman and Sullivan

Reviewers overuse the phrase "required reading," but no other description fits the new book "Ajax Security" (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in...
Read More