Writing Secure Code - Links - September 12, 2008
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on Sep 12, 2008
Since I'm focusing this blog more on the technical side - I thought I would try to regularly provide a set of links and commentary to security and privacy articles I find.
"For Your Browser Only" -- Reminds developer's that if you are writing cookies from your server code to remember to mark them "HTTP Only". This dramatically reduces the surface area for cross-site scripting attacks. I would also add that other techniques - such as using a standards-based framework for authentication/session management and risk-based access control like Oracle provides via Fusion Middleware and the Access Management Suite will add extra protection.
Security Researches Uncover Spring Framework Vulnerabilities -- Some researchers have found vulnerabilities in the popular Spring framework.
What Californians Understand About Privacy Online -- A paper showing how big the gulf is between the average person's perception of how their privacy is protected and the reality . One could of course make a joke about what do you expect from people who elect "The Terminator" their governor but it is a real problem.
SQL Injection issue in :limit and :offset parameter -- A two-fer this week - security issues in two of the most popular frameworks out there - Spring and now Rails. I give credit to the author for trying to help raise awareness and in general I think adopting frameworks (in particular standard - whether that's "Standard" like JSF or a "standard" like Spring/Rails) make you more productive - and yes, secure.
5 Features Your Login System Must Have -- An interesting article for those who are still "rolling their own system". Of course for an enterprise - I'm not sure of any valid use case where that would be a good idea - there's too many good products out there such as Oracle Access Management Suite that can do this for you without needing to become a SSO developer. If you are working on a consumer site - then at the very least, you should adopt something like OpenID or Infocards so that you are not managing passwords.