July 6, 2010 - 19:45 CEST My previous post explained how NOSQL-injection can occur when using NOSQL-databases. I showed an example using MongoDB. In this post I'll show you how to protect your application.
[...]

June 27, 2010 - 22:00 CEST As described by Wikipedia, NOSQL is a movement promoting a loosely defined class of non-relational data stores that break with a long history of relational databases. These types of databases are quickly gaining popularity in the Web2.0 world, including sites like Facebook and Digg.
[...]

May 18, 2010 - 22:30 CEST Just thought I'd do a small blogpost about some of the security podcasts I'm currently subscribing to.

[...]

March 22, 2010 - 13:59 CET

In an IdP/SP (Identity Provider/Service Provider) Single Sign-On scenario, you might also want to have Single Sign-Out, meaning you can log out of all SPs with a single click.

[...]

February 21, 2010 - 21:36 CET Most web browsers implement the Same Origin Policy which limits how javascript etc. can interact across domains. Without this policy an attacker could setup a site, and if tricked into visiting it, the attacker could read data from all your logged in sessions (gmail, banking etc.) and perform actions against those sites on your behalf. This policy was seen as a bit to restrictive for flash/flex/silverlight which may need to read data from other domains. Adobe introduced the cross domain policy to address this concern. Unfortunately a lot of sites are not paying attention to what this policy really means.
[...]

February 8, 2010 - 13:05 CET As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]

February 8, 2010 - 12:23 CET Recently there has been a lot of fuzz about security problems in flash files. At the recent Blackhat DC 2010 Mike Bailey also discussed this very topic. These problems are not new, but have somehow avoided getting much focus earlier. Input validation and output escaping in flash seem to be ignored.
[...]

November 30, 2009 - 20:57 CET If you are in an agile team (Scrum or Kanban) and the team is distributed, it might be hard to find a good solution for the agile board. The solution might be an electronic version. Why not build your own?
[...]

November 29, 2009 - 17:31 CET In my previous posts JSONp - What's the risk? and Web2.0 - Who do you trust? I talked about the potential security problems that can occur when adding script tags and/or using jsonp. In this post I will show a couple of demos.
[...]

November 19, 2009 - 18:53 CET When it was first introduced, Mozilla Content Security Policy (CSP) seemed at bit interesting when developing new applications, but I couldn't really see any benifit for already existing apps, as they would have they would have to rewrite a lot of the code. However after many of the newer additions, I think this can help severely reduce the effect of many attacks.
[...]