Have you heard of RFC 9116? If not, I understand. I don't really know anything by RFC numbering and that is ok. RFC 9116 is a document put out by the Internet Engineering Task Force (IETF) related to vulnerability disclosure. It is important to note that this is not a standard, but for informational purposes only. So what does it do? The focus of this document is on the security.txt file and the format of it. Security.txt is a simple text file that helps an organization describe their … [Read more...] about Security.txt for Vulnerability Disclosure
secure code
Tips for hiring developers with security experience
In order to reduce the risk to our applications, we must start hiring resources that come in with some level of secure development knowledge. As a matter of fact, it shouldn't even be thought of as security knowledge, but just good development knowledge. Job Description The first question that pops up is around writing job descriptions. How much "security" should be in a job description for a developer role? Does it change from entry level engineer to a senior level engineer? I think there … [Read more...] about Tips for hiring developers with security experience
3 Tips to get your secure development program started
The hardest part of anything we do is typically just actually starting it. How many things have you thought about doing, but were not sure on how to proceed? What is that first step? We know we have to do something, but what? This is no different when we think about application security and a secure development program. We have to start it. It is absolutely a necessity for any development program. So what should we do? It is important to understand that security doesn't happen overnight. There … [Read more...] about 3 Tips to get your secure development program started
Input validation is less about specific vulnerabilities
Security takes a layered approach to reduce the risk to our organization. Input validation is the perfect example of one of these layers. In most cases, input validation is 1 factor in a multi-pronged approach to protecting against common vulnerabilities. Take any course on secure development and they will, or should, mention input validation as a mitigating control for so many vulnerabilities. You might notice that it always comes with a but. Use input validation, but also use output … [Read more...] about Input validation is less about specific vulnerabilities
Log4J – Reflection and Progression
Open any social media platform or pull up any mainstream media and undoubtably, you have seen many posts/articles talking about the log4j vulnerability. If you haven't seen this, here is a quick link to catch up https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/. This post is not going to be about log4j, nor is it going to go into any of the details the thousands of others articles out there would go through. Instead, I want to discuss this at a higher level. Log4j is just an … [Read more...] about Log4J – Reflection and Progression
Chrome is making some changes.. are you ready?
Last year, Chrome announced that it was making a change to default cookies to SameSite:Lax if there is no SameSite setting explicitly set. I wrote about this change last year (https://www.jardinesoftware.net/2019/10/28/samesite-by-default-in-2020/). This change could have an impact on some sites, so it is important that you test this out. The changes are supposed to start rolling out in February (this month). The linked post shows how to force these defaults in both FireFox and Chrome. In … [Read more...] about Chrome is making some changes.. are you ready?