December 27, 2011 - 15:41 CET "So now that you've seen how contexts are important when mitigating XSS, I'll give you a new example", David said. "Take a look at the following example from a social networking web site".[...]

December 27, 2011 - 15:32 CET HackPra (@HackPra) was kind enough to invite me to do a talk. On the 7th of December I heald a talk called "Attacks on web application crypto". [...]

November 11, 2011 - 21:32 CET

I recently presented on Web application security at Framsia (a user group for frontend development). Great crowd and lots of questions and good feedback afterwards. The slides from the presentation can be found below.

[...]

October 30, 2011 - 11:17 CET

I have been an Android-owner for about two years now, and I'm no longer fan.

[...]

August 4, 2011 - 21:43 CEST Recently we see frameworks altering behaviour in order to mitigate XSS. Ruby on Rails 3, Play Framework and ASP.NET MVC 3 all do HTML escaping by default for the standard output (<%=SomeVariable %>, ${SomeVariable} and @SomeVariable). While I applaude the frameworks for taking this step (and this is certainly a step in the right direction), you should be aware that this will not automatically block all XSS attacks. Here are some examples.[...]

March 22, 2011 - 07:44 CET Some colleagues and I were discussing this a while back, and while it may be had to create, I really think this could be helpful for us as developers. The name is just a suggestion. Someone can probably come up with something better. This a potential outcome of the developer outreach.[...]

February 23, 2011 - 22:41 CET When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.[...]

February 16, 2011 - 20:09 CET

John Wilander published a post on "Security People vs Developers", where he adressed the "Developers don't know shit about security" mantra that keeps popping up in security talks on conferences.

[...]

February 8, 2011 - 13:11 CET

As programmers we often pick the easy way out, even though we often hear that we should keep things simple. Creating something simple can be hard, and creating something complex (and often buggy) is easy.

[...]

January 28, 2011 - 07:46 CET

I just read Is 2011 the Year of NoSQL Data Breaches? over at Infosec Island. The article was really interesting and points out some aspects of MongoDB which I really don't like. I'm all for NoSQL databases, as the relational model does not fit well everywhere, so I'm hoping the MongoDB developers will address these issues pretty soon.

[...]