Category: Secure Development

  • Java Security Myths session at DOAG 2013

    I’ll be speaking about Java Security Myths at the DOAG 2013 conference in Nürnberg. My (German) session is on November 21st at 10 a.m.

  • OWASP Top 10 2013 release candidate published

    The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki): A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 […]

  • Total failure of Java security

    Wow, that’s a sentence I believed I would never write in my professional life: deactivate Java in your web browser immediately! In any browser and on any operating system. Instructions are e.g. available here and normally on your browser manufacturer home page. Turning it off does not have an impact on normal Java applications, those […]

  • Security is every developer’s job

    In one of his latest blog posts published in the OWASP feed, Dinis Cruz points out, that secure development and application security itself must be invisible to developers. I can’t completely agree to that. On one side, Dinis is right: The frameworks we use must be way more secure out of the box and way […]