My current writing project has taken time away from adding new content lately. Here’s a brief interlude of The Twelve Web Security Truths I’ve been toying with as a side project. They are modeled on The Twelve Networking Truths from RFC 1925.

  1. Software execution is less secure than software design, but executing code attracts actual users.
  2. The time saved by not using parameterized queries to build SQL statements should be used to read about using parameterized queries.
  3. Same Origin Policy restricts the DOM access and JavaScript behavior of content loaded from multiple origins. Malware only cares about plugin and browser versions.
  4. Content with XSS vulns are affected by the Same Origin Policy, which is nice for XSS attacks that inject into the site’s origin.
  5. CSRF countermeasures like Origin headers mitigate CSRF, not XSS. Just like X-Frame-Options mitigates clickjacking, not XSS.
  6. Making data safe for serialization with JSON does not make the data safe for the site.
  7. There are four HTML injection vulns in your site today. Hackers will find two of them, the security team will find one, the dev team will introduce another one tomorrow.
  8. Deny lists miss the attack payload that works.
  9. A site that secures user data still needs to work on the privacy of user data.
  10. Hashing passwords with 1,000-round PBKDF2 increases the work factor to brute force the login page by a factor of 1. Increasing this to a 10,000-round PBKDF2 scheme provides an additional increase by a factor of 1.
  11. The vulnerabilities in “web 2.0” sites occur against the same HTML and JavaScript capabilities of “web 1.0” sites. HTML5 makes this different in the same way.
  12. A site is secure when a compromise can be detected, defined, and fixed with minimal effort and users are notified about it.
  13. Off-by-one errors only happen in C.