February 25, 2014 - 15:21 UTC After scanning Norway and Alexa Top 100,000, I decided to scan the Fortune 500 companies.
[...]

February 24, 2014 - 20:10 UTC After scanning Norway I decided to scan the Alexa top 100,000 sites. Summarized over 60% are using JavaScript libraries with known vulnerabilities. Which means they will have problems with OWASP Top 10 2013-A9 Using Components with Known Vulnerabilities. I would like to stress though, that using a library with a known vulnerability, does not necessarily mean the site is vulnerable, because the vulnerable code may not be used.
[...]

January 9, 2014 - 22:36 UTC After working on retire.js I decided to take it for a real test run. I setup a node script with phantomjs and scanned the landing page of 150,000 Norwegian domains. These are the results. You will find that a lot of sites are using really old versions of libraries with known vulnerabilities (red means the library has known vulnerabilities). I think this supports the idea that most sites have the jQuery version that was available when the site was first made. Oh, and using a vulnerable library does not necessarily mean the site is vulnerable, but it might be.
[...]

November 4, 2013 - 21:47 UTC

There are a lot of security headers out there, and due to a recent scanby @einaros we can now build some statistics on the use of these headers in Norway. The result is disappointing.

[...]

June 16, 2013 - 22:17 UTC

Are you a developing NuGet packages? Good. Me too. We developers all make mistakes from time to time. And the problem is, some of those mistakes become vulnerabilities. Now the problem is, how will the users of your library know?

[...]

October 9, 2012 - 23:25 UTC

The last item on the OWASP Top 10 is A10 - Unvalidated Redirects and Forwards.

[...]

September 24, 2012 - 20:33 UTC

The 9th item on the OWASP Top 10 is A9 - Insufficient Transport Layer Protection. This is mostly a browser to server and server to server issue.

[...]

September 17, 2012 - 13:27 UTC

RESTful security from JavaZone on Vimeo.

[...]

August 31, 2012 - 14:30 UTC

The 8th item on the OWASP Top 10 is A8 - Failure to Restrict URL Access. This one is kind of interesting as what you see in the browser and what you see on the server are more often than not two very different things in javascript driven web apps. This is especially true for single page webapps.

[...]

August 20, 2012 - 21:14 UTC

This post describes how OWASP Top 10 - A7: Insecure Cryptographic Storage affects javascript applications. This is a wide category which covers a lot more than this blog post. I'll try to focus on the aspects that often occur in applications that rely heavily on JavaScript.

[...]