Web Security Training

Navigating the web security landscape

Navigating the web security landscape

blogposts – Article

Don't become a Web Security Dinosaur!

Blog If you're in for a blast from the past, take a look at the screenshot of Yahoo! below. That's an image from back in 1999, when almost everybody used Yahoo! to search the Web. Compared to today, web applications back then looked pretty boring. Modern web applications are prettier and snappier, using technologies such as multimedia elements and capture APIs, various powerful JavaScript APIs and numerous new communication mechanisms, such as WebSockets or WebRTC. But have you also upgraded the security of your applications? Did you know that the web security landscape has changed drastically in the past 4 years? Keep reading to see if you risk becoming a web security dinosaur, and what you can do to prevent this from happening. Read More ›

blogposts – Article

A false sense of security by cheating with your security headers

Blog Awareness is one of the most important aspects to get people to secure their web applications. In the last few years, we have seen a steady increase in media attention towards the lack of security, and we have also seen the rise of security scanning services. These services rate certain security aspects of your application, and assign you a score, ranging from F (really bad) to A+ (awesome). Prime examples are the SSL Server Test, driven by Ivan Ristić, and securityheaders.io, driven by Scott Helme. In this article, we explore the challenges of going from an automated scan to a meaningful score, and how website operators game the system to get a better score than they deserve. Read More ›

trainingsessions – Resources

Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe

Blog The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group! Read More ›

blogposts – Article

Preventing Private Key Theft with a Reverse Proxy

Blog With every Web site, there's the risk of total compromise, well illustrated by the severe zero day vulnerabilities that have surfaced in major CMS systems over the past few years. When the exploit leads to a compromised Web server, there are a lot of consequences, and a lot of effort will go to the cleanup. If the site is deployed over HTTPS (and it should), it's very likely that the server's private key is compromised as well, allowing the attackers to impersonate your server towards your users. In this post, I will explain how you can use a TLS-terminating reverse proxy to stop the theft of your private keys, thereby limiting one aspect of the impact of a breach. Read More ›

blogposts – Article

No, not everybody should be a security expert

Blog The Web would be a lot more secure if everybody was a security expert, but that's an utterly unrealistic scenario. Instead, everybody should be aware of security, should learn the basic security principles, and should know when to call in help from security experts. That's exactly what the SecAppDev course stands for. To get you started with Web security, I've included a list of useful resources at the end of this post. Read More ›