comments (not for humans)

I have been an Android-owner for about two years now, and I'm no longer fan.


[...]
Recently we see frameworks altering behaviour in order to mitigate XSS. Ruby on Rails 3, Play Framework and ASP.NET MVC 3 all do HTML escaping by default for the standard output (<%=SomeVariable %>, ${SomeVariable} and @SomeVariable). While I applaude the frameworks for taking this step (and this is certainly a step in the right direction), you should be aware that this will not automatically block all XSS attacks. Here are some examples.
[...]
Some colleagues and I were discussing this a while back, and while it may be had to create, I really think this could be helpful for us as developers. The name is just a suggestion. Someone can probably come up with something better. This a potential outcome of the developer outreach.
[...]
When building a ajax based application, you want to protect any POST request against CSRF attacks. If you are using jQuery, then jQuery provides a lot of convenience methods for ajax calls ($.get(), $.post(), $.getJSON() etc.) and it would be a shame if you would have to duplicate adding CSRF tokens to all your ajax calls manually or by going back to $.ajax(), because the convenience method didn't support the way you wanted to add the token. But jQuery, being the customizable framework it is, of course allows you to add these kinds of things through events.
[...]

John Wilander published a post on "Security People vs Developers", where he adressed the "Developers don't know shit about security" mantra that keeps popping up in security talks on conferences.


[...]

As programmers we often pick the easy way out, even though we often hear that we should keep things simple. Creating something simple can be hard, and creating something complex (and often buggy) is easy.


[...]

I just read Is 2011 the Year of NoSQL Data Breaches? over at Infosec Island. The article was really interesting and points out some aspects of MongoDB which I really don't like. I'm all for NoSQL databases, as the relational model does not fit well everywhere, so I'm hoping the MongoDB developers will address these issues pretty soon.


[...]
Troy Hunt is doing a great series on the OWASP Top 10 for .NET developers. Definitely worth a read for any .NET developer:
[...]
There has been a lot of fuzz about padding oracle attacks lately. ASP.NET was vulnerable and Apache MyFaces too (and other JSF implementations?).
[...]

The brand new Rails 3.0 by default escapes data used in views. This is great news, because it hopefully means the applications will be protected from XSS by default, as long as you stick to the built-in helpers (UrlHelper etc.).


[...]