Web Security Training

Navigating the web security landscape

Navigating the web security landscape

blogposts – Article

A false sense of security by cheating with your security headers

Blog Awareness is one of the most important aspects to get people to secure their web applications. In the last few years, we have seen a steady increase in media attention towards the lack of security, and we have also seen the rise of security scanning services. These services rate certain security aspects of your application, and assign you a score, ranging from F (really bad) to A+ (awesome). Prime examples are the SSL Server Test, driven by Ivan Ristić, and securityheaders.io, driven by Scott Helme. In this article, we explore the challenges of going from an automated scan to a meaningful score, and how website operators game the system to get a better score than they deserve. Read More ›

trainingsessions – Resources

Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe

Blog The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group! Read More ›

blogposts – Article

Preventing Private Key Theft with a Reverse Proxy

Blog With every Web site, there's the risk of total compromise, well illustrated by the severe zero day vulnerabilities that have surfaced in major CMS systems over the past few years. When the exploit leads to a compromised Web server, there are a lot of consequences, and a lot of effort will go to the cleanup. If the site is deployed over HTTPS (and it should), it's very likely that the server's private key is compromised as well, allowing the attackers to impersonate your server towards your users. In this post, I will explain how you can use a TLS-terminating reverse proxy to stop the theft of your private keys, thereby limiting one aspect of the impact of a breach. Read More ›

blogposts – Article

No, not everybody should be a security expert

Blog The Web would be a lot more secure if everybody was a security expert, but that's an utterly unrealistic scenario. Instead, everybody should be aware of security, should learn the basic security principles, and should know when to call in help from security experts. That's exactly what the SecAppDev course stands for. To get you started with Web security, I've included a list of useful resources at the end of this post. Read More ›

blogposts – Article

Leveraging 20-year old technology to build more secure Web applications

Blog Ever thought about the security consequences of including JavaScript files from just about anywhere? Or why Cross-Site Scripting attacks are so dangerous? It all comes down to the core security model of the browser, where resources from different origins are separated from each other by the Same-Origin Policy. An understanding of the Same-Origin Policy, the protection it offers and, most importantly, its limits, is crucial for building secure Web applications. In this post, we look into the history of the Same-Origin Policy, and we show how it falls short of protecting Web sites from malicious, third-party code. We conclude with concrete advice on how to integrate third-party code in a more secure way, something you should take to heart. Read More ›