My current writing project has taken time away from adding new content lately. Here’s a brief interlude of The Twelve Web Security Truths I’ve been toying with as a side project. They are modeled on The Twelve Networking Truths from RFC 1925.
- Software execution is less secure than software design, but executing code attracts actual users.
- The time saved by not using parameterized queries to build SQL statements should be used to read about using parameterized queries.
- Content with XSS vulns are affected by the Same Origin Policy, which is nice for XSS attacks that inject into the site’s origin.
- CSRF countermeasures like Origin headers mitigate CSRF, not XSS. Just like X-Frame-Options mitigates clickjacking, not XSS.
- Making data safe for serialization with JSON does not make the data safe for the site.
- There are four HTML injection vulns in your site today. Hackers will find two of them, the security team will find one, the dev team will introduce another one tomorrow.
- Deny lists miss the attack payload that works.
- A site that secures user data still needs to work on the privacy of user data.
- Hashing passwords with 1,000-round PBKDF2 increases the work factor to brute force the login page by a factor of 1. Increasing this to a 10,000-round PBKDF2 scheme provides an additional increase by a factor of 1.
- A site is secure when a compromise can be detected, defined, and fixed with minimal effort and users are notified about it.
- Off-by-one errors only happen in C.
Enjoy. And stick around for (the not quite yet imminent arrival of) new content. Thanks for reading!