Developing applications has long involved using code snippets found through textbooks or on the Internet. Rather than re-invent the wheel, it makes sense to identify existing code that helps solve a problem. It may also help speed up the development time. Years ago, maybe 12, I remember a co-worker that had a SQL Injection vulnerability in his application. The culprit, code copied from someone else. At the time, I explained that once you copy code into your application it is now your … [Read more...] about Security Tips for Copy/Paste of Code From the Internet
blog
Gmail will block JavaScript file attachments
According to a recent announcement, Gmail will start blocking .js file attachments starting February 13, 2017. Blocking specific attachment types isn't something that is new to Gmail. They already block attaching file attachments that are .exe, .msc, and .bat types. The recent move to add javascript files is most likely related to the recent malware/ransomware campaigns that have started using JavaScript files instead of Microsoft Office files. There was an article posted back in April … [Read more...] about Gmail will block JavaScript file attachments
Secure Notification Updates in FireFox and Chrome
There has been a steady increase in the number of applications that have switched to using HTTPS instead of HTTP for communication. Even sites that have no sensitive information or authentication mechanisms. Using HTTPS provides authentication and a secure channel to transmit data between client and server. The authentication verifies that you are communicating with the organization you thought you were. This secure transmission is meant to stop other parties from being able to read or … [Read more...] about Secure Notification Updates in FireFox and Chrome
Remember Me Features
Tired of constantly logging into your applications? Don't you wish they would just remember you each time you visit, logging you right in? It isn't as always easy to achieve such a status. There are multiple ways remember me can be implemented. Lets take a look at some of them. Remember UserName One of the most common ways for a site to implement the remember me functionality is to remember the username only. The username is typically stored in a cookie on the client's computer. … [Read more...] about Remember Me Features
Introducing our Slack channel
It is a new year and time for some new ways for all of us to communicate. We appreciate all that have read the posts and listened to the podcast. Both of these will continue to move forward in 2017 with some new material on the way. We are happy to announce we have started a Slack channel. You can find it at developsec.slack.com. The blog and podcasts have been great in providing information in a read-only manner. Slack is an opportunity to open up more conversation and create more … [Read more...] about Introducing our Slack channel
MongoDBs under attack from ransomware
In recent news, it was identified that MongoDB databases are being exposed on the internet and infected with ransomeware. In a little under a week, the infection count went from 200 to 10,000. That is a quick ramp up. In this case, misconfigurations may bind the database port to the public interface, while also allowing anonymous access. This combination can be devastating. Doing a quick search on Shodan you may find there are thousands of misconfigured MondoDB servers exposed on the … [Read more...] about MongoDBs under attack from ransomware