sorted by: recent | see :
popular
Content Tagged with Editorial + books
Ajax and Security - Discuss
Often when you hear discussions regarding Ajax and security, its said that the issues remain the same as they were ten years ago: don't trust user input, don't expose sensitive data without encryption, code for security from day one, never display system errors messages, etc. While that is all true and good, one thing I heard from the Ajax Experience that stuck with me is that "ajax increases the typical amount of attack vectors". We are hitting the server more often, with different transports, and often talking to remote servers as well for services. This will only become a bigger issue as cross domain ajax becomes more prevalent and libraries and tools make it easier to mash things up without having to know each individual services' API. Do the developers you work with keep up to date on writing secure code? Have you seen your ajax app exploited by cross-site scripting attacks or sql injection, or are do you consider things "safe" because you are only doing intranet work?
With that in mind, Michel Sutton's entry on ten common security mistakes might be a good refresher. His earlier entry on SQL injection is also worth a read, particularly if you are hand-coding sql and aren't using a database library that handles parameterized SQL statements for you (though if thats the case you might have bigger issues...)
Recently I went looking for an authoritative book on web app security for some fun-filled weekend reading, and came up with very few hits. The closest I found was How to Break Web Software
There are a ton of books on server security and locking down your OS, but not much that targets web applications specifically. Any other good suggestions? Any web security blogs worth subscribing to?
Security
experience
the
Editorial
page
books
remoting
testing
Ajax
front