Category: Secure Development

  • Security in the build pipeline

    I’ve already blogged about OWASP Dependency Check or its alternative SourceClear in the past. But there is more you can do about security in a typical (Jenkins) build. Although I’m calling this post “Security in the build pipeline” I’m not actually using the Jenkins pipeline as code feature. Security scans are independent of that, so…

  • SRC:CLR revisited

    I was approached by SourceClear a little while ago to have another look at their dependency vulnerability scanner after my first blog post on their service. Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed:…

  • Finding vulnerabilities in third party libraries

    I’ve already blogged about OWASP Dependency Check as a Jenkins plug-in a little while ago. With SRC:CLR, a new web based alternative might be available. To use it, simply register via GitHub login and follow the installation instructions for your operating system. After installation, execute a scan via command line: srcclr scan –url https://github.com/dschadow/JavaSecurity.git The…

  • Using OWASP Dependency Check as Jenkins plugin

    OWASP Dependency Check is a great tool to check your third party dependencies in Java (web) applications. Besides using it as command line tool, Maven plugin or Ant task, you should integrate it all your Jenkins build jobs. One downside is that as default, every build job downloads and regularly updates its own National Vulnerability…

  • Free web application vulnerability scanner for Eclipse

    Contrast released Contrast for Eclipse 1.0 already a little while ago. The Eclipse plug-in works as a runtime security scanner and checks for security vulnerabilities in your web application while executing it in Eclipse. Promised by Contrast on Eclipse Marketplace is an Automated detection of OWASP Top 10 vulnerabilities. This is the first free tool…

  • Using security response headers with WordPress

    I’ve added several security headers to my blog today. The first part was easy: I’ve created a .htaccess file in my blog’s root directory with the following content: Header set X-XSS-Protection “1; mode=block” Header set X-Frame-Options DENY Header set X-Content-Type-Options “nosniff” Header set Strict-Transport-Security “max-age=31556926” Header set Cache-Control “no-store, no-cache, must-revalidate” Only one header was…

  • Keep Your X-Frame-Options header a little while longer

    So Mozilla has decided to deprecate the X-Frame-Options header to avoid clickjacking or UI redressing attacks (have a look in the page history, the first version used a much stronger language). This header was never standardized (as the leading X indicates), but is supported in all browsers (yes, in ALL browsers, with the exception of…

  • JSF stateless views and CSRF protection

    JavaServer Faces (JSF) – especially since version 2.2 – provides a good Cross-Site Request Forgery (CSRF) protection. To achieve this, every form automatically receives a random hidden token: Nothing more to do for the developer, JSF takes care of comparing the token’s value against the one stored in the server side session. Without the correct…

  • Java-Web-Security – Sichere Webanwendungen mit Java entwickeln

    My (German) book Java-Web-Security – Sichere Webanwendungen mit Java entwickeln is available at dpunkt.verlag since February 25th 2014 and of course in every book store out there.

  • Java-Web-Security: Sichere Webanwendungen mit Java entwickeln

    Early 2014 in a bookstore near you Java-Web-Security: Sichere Webanwendungen mit Java entwickeln (German only, at least at the moment…)