Web app security – the best bits

Security is paramount for applications delivered over the Internet. We’ve put a lot of energy into our own development practices, and recently we’ve been sharing some of the things we have learnt and refined with developer audiences around New Zealand.

Over the last six months I’ve been presenting on different aspects of web security to about 350 developers at user group meetings, Code Camps, conferences and to some of our partners. The main focus has been on understanding the potential threats in a web environment,  share some of our experiences, and offer some best practice on how to protect your applications.

Monday at the OWASP New Zealand day  was a lot of fun. I co-presented with Andy Prow from Aura Software Security . We had two participants up the front sparring with giant boxing gloves while I protected our sample ASP.NET application from Andy’s ‘hacking’ attacks.

There was lots to learn from the various sessions – most surprising to me was the lack of security around Firefox Extensions. In a session presented by Roberto Suggi Liverani and Nick Freeman from Security-Assessment.com, we saw the sorts of bad behaviour a Firefox extension can get up to without you realising. Moral of the story: don’t install extensions that you don’t trust!

We also heard about the 2 million unprotected credit card numbers found on NZ companies’ infrastructure, how small security issues can be compounded when chained with other issues, how SOAP web services can be tested, and how after 10 years we’re still making the same mistakes again and again.

All the talks were recorded, so I expect at some stage the videos and slides will end up at the OSWAP NZ website.  So if you’re a developer or architect, come along to user group meetings to learn more about web security.  The OWASP guidelines are also available for free from the OWASP site.

If you’re a .NET development shop or Xero partner, I’d be happy to come along and present to you and your team for an hour or so.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

The Financial Web, Continuous Certification and Banking

I sat down with Sholto Macpherson at Xerocon last week to discuss The Financial Web, the Assurance Dashboard, Continuous Certification and how we plan to help small businesses get access to lending and capital. In this video we are introducing a number of new concepts: The Financial Web The Financial Web is the growing electronic ...

How Xero tackles technical debt

Technical debt accrues for many reasons. Sometimes as developers, we are pushing to get features out of the door, and speed trumps elegance. Sometimes, technology moves on and choices which were good at the time just don’t age well. Other times we’re working with technology that is new to us and we’re not up-to-date with ...