Why “only security updates” approach is not sufficient?
Many organisations by principle only apply product updates that are explicitly marked as security fixes. I argue why this policy is not sufficient with examples on how general updates also have impact on security.
State of web micropayments
As of 2021 there is little doubt that the world of web advertising is toxic and abusive for both the end users and content publishers, and negatively impacts web security. Are there any reasonable alternatives out there?
Invalid Unicode encodings in Facebook data exports
An interesting case study of how even a large company can get Unicode encoding wrong in their data export format.
DNSSEC, systemd-resolved and general user friendliness
DNSSEC is perceived as difficult to deploy, but it’s actually the client-facing side that is more of a challenge, as my recent experience with systemd-resolved demonstrates.
Easy nonce-based Content-Security-Policy with Nginx
Content-Security-Policy is a powerful mechanism that can mitigate some of the web attacks, mostly related to user-generated content and vulnerable libraries. We publish a general guidance on deploying CSP based on our experience while developing this website, but here we would like to describe a simple trick we used to deal with a specific CSP usage scenario being whitelisting by nonce.
W3C Trusted Types in practical web development
Trusted Types are an emerging DOM API specification that attempt to prevent a whole range of attacks resulting from web browsers being tricked into execution of untrusted content, for example XSS.
Input validation of free-form Unicode text in Python
Input validation is one of the most important application security controls and still, there’s a huge gap as it comes to implementation of one of the most popular types of user input — free-form text with Unicode characters. This article demonstrates a simple way of dealing with Unicode text using Python.
Checking for critical infrastructure failures with Wazuh
One of my favourite features of Wazuh is command monitoring which, combined with rules, allows creating sophisticated sanity checks on critical infrastructure services.
Making sense of the SAST, DAST, IAST, RASP soup #2
In the last article I have written about SAST and DAST, here I’m sharing some experiences with IAST and RASP technologies, which are still considered quite new to the application security market.
Making sense of the SAST, DAST, IAST, RASP soup #1
Software security scanner market today is now mature enough to have its own jargon, built largely by vendor marketing teams. As such, it’s primarily designed to help you get rid of your infosec budget rather than help you design a reasonable security assurance architecture. This is first part of series that looks at SAST and DAST advantages and limitations.