I’ll be speaking about Java Security Myths at the DOAG 2013 conference in Nürnberg. My (German) session is on November 21st at 10 a.m.
The first release candidate of the new OWASP Top 10 2013 was published a couple of days ago (PDF). And the top 10 changed quite a bit (see the project wiki): A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5… Continue reading OWASP Top 10 2013 release candidate published
Wow, that’s a sentence I believed I would never write in my professional life: deactivate Java in your web browser immediately! In any browser and on any operating system. Instructions are e.g. available here and normally on your browser manufacturer home page. Turning it off does not have an impact on normal Java applications, those… Continue reading Total failure of Java security
In one of his latest blog posts published in the OWASP feed, Dinis Cruz points out, that secure development and application security itself must be invisible to developers. I can’t completely agree to that. On one side, Dinis is right: The frameworks we use must be way more secure out of the box and way… Continue reading Security is every developer’s job