Web app security – the best bits

Security is paramount for applications delivered over the Internet. We’ve put a lot of energy into our own development practices, and recently we’ve been sharing some of the things we have learnt and refined with developer audiences around New Zealand.

Over the last six months I’ve been presenting on different aspects of web security to about 350 developers at user group meetings, Code Camps, conferences and to some of our partners. The main focus has been on understanding the potential threats in a web environment,  share some of our experiences, and offer some best practice on how to protect your applications.

Monday at the OWASP New Zealand day  was a lot of fun. I co-presented with Andy Prow from Aura Software Security . We had two participants up the front sparring with giant boxing gloves while I protected our sample ASP.NET application from Andy’s ‘hacking’ attacks.

There was lots to learn from the various sessions – most surprising to me was the lack of security around Firefox Extensions. In a session presented by Roberto Suggi Liverani and Nick Freeman from Security-Assessment.com, we saw the sorts of bad behaviour a Firefox extension can get up to without you realising. Moral of the story: don’t install extensions that you don’t trust!

We also heard about the 2 million unprotected credit card numbers found on NZ companies’ infrastructure, how small security issues can be compounded when chained with other issues, how SOAP web services can be tested, and how after 10 years we’re still making the same mistakes again and again.

All the talks were recorded, so I expect at some stage the videos and slides will end up at the OSWAP NZ website.  So if you’re a developer or architect, come along to user group meetings to learn more about web security.  The OWASP guidelines are also available for free from the OWASP site.

If you’re a .NET development shop or Xero partner, I’d be happy to come along and present to you and your team for an hour or so.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Is Ext JS right for your business?

This is the first in a series of developer-focused articles exploring Xero’s architecture. I want to start out by focusing on Xero’s front end. The majority of our front end is built using the Sencha Ext JS framework – Version 4 if you want to be specific, although we have several areas now utilizing V5. Ext ...

Selecting a cloud inventory solution for an ecommerce business

A cloud inventory solution is one of the most important tools for an ecommerce business. Cloud inventory is the core of your operations, providing the infrastructure and technology needed to manage goods. There are many great cloud solutions which integrate with multiple marketplaces, shopping carts, and accounting platforms. Unless you only sell digital things or ...