Application Development: NaCl and Sodium crypto libraries

Security concepts are very important at line of professional Application Development in enterprise scope. Cryptography helps us to achieve Integrity and Confidentiality as 2 of 3 main Security principles. Protocols needs us to encrypt and decrypt important data, specific content have to be signed and verified. For decades we used RSA, OpenSSL [https://www.openssl.org/] as general-purpose cryptography library and its wrappers. On the other hand, OpenSSL is not so easy to work with. It needs both some level of understanding cryptography and its approaches as a whole and pure implementation aspects of OpenSSL, as well. For now, we have much better approaches. Easy to use, but strong at line of cryptography and implementation.


Daniel J. Bernstein (with colleagues) released NaCl library [https://nacl.cr.yp.to/] several years ago. It’s pronounced “slat”. The main goal was to bring easy-to-use solution for software developers, who need just-work cryptography in their projects. Simplicity is the key point of the interface of the framework. On the other hand, it covers all duties of cryptography library and provides all common routines: hashing, public-key encryption, signing and authenticated encryption. E.g., authenticated encryption is an algorithm including 3 steps mixed in one of 3 ways. NaCl provide single interface crypto_box, which is done everything in one step. Such approach is much safer. Developer can’t break something in the flow. Main implementation of the library is in C, C++ and python. C version can be used in embedded Application Development. It doesn’t depend on dynamic memory allocation. There are several implementations of the same function.

Read more

Application Security: Cross-site scripting (XSS)

Professional web development standards are very high nowadays. It doesn’t matter how big your team or budget. Application Security is extremely important for project of any size. Huge software companies may even have separate departments working on security tasks only. There are manual code review of existing solutions, automation of scanning for well-known vulnerabilities by special tools, writing unit and integration tests, research the cases, implementation of modern approaches. On the other hand, if you are sole developer in your startup (or even single contributor at all), you have to spend some time playing this role as well.

Sources of the harmful code

Cross-site scripting or XSS is the most widely exploited security hole in Web. At first sight, it seems not very dangerous for Application Security, because there is no obvious way to harm the system or damage the data on the server side. Generally, the main goal of XSS attack is to execute custom JavaScript code in the browser of the user. To be executed, that code have to pass into the page in some way. There are 2 options for hacker to achieve it. First, and the most known, is saving JavaScript code as a part of Web 2.0 content on the server side provided by users of the service.

Read more

Password Manager is a must-have for both the security and the life

The Number of web sites and services in our daily duties grows from year to year. Each service requires standard user authentication. Generally, Application Security started with login/password pair, for all of us. It’s not easy to remember even dozen strong passwords, particularly if some service is used once per month. Keep in mind, we have to use different passwords. Usage of the same password for many web sites is the most worst thing a user can do at line of Application Security.

OpenID vs. Login/password schema

Modern web sites nowadays uses third-party authentication based on OpenID technology

Read more

Best ways to defend your web applications in 2013

We have to admit that usual ways of securing the application like firewalls are not working now. On the other hand more and more people are now using web applications and this is what shall be defended properly. Let’s see the best ways of how to secure the web application.

The strategy will mostly depend on the structure and architecture of the current application. Remember to test every defending system you come up with.

The main course will be the total agnosticism in the programming language.

The most suited case for the application developers and protectors is the well-known DEV522: Defending Web Applications Security Essentials.

Here is the list of main topics to be discussed there:

  • Application language configuration
  • Application coding errors like SQL Injection and Cross-Site Scripting
  • Infrastructure Security
  • Server Configuration
  • Authentication Bypass
  • Web services and related flaws
  • Authentication mechanisms
  • XPATH and XQUERY languages and injection
  • Business logic flaws
  • Cross-Site Request Forging
  • Web 2.0 and its use of web services
  • Protective HTTP Headers
Read more

Several secrets of mobile application usability

No one can now be surprised with the wireless connection. It’s even more popular today than the standard wired connection, since people tend to stay mobile and in touch with each other all day long. We can now share not only the data, but also are one step away from the full range voice telephony due to 4G technologies.

What are the current problems of mobile web programming?

First of all, they shall become rather quick, since no one wants to wait till the page loads. The current bandwidth has significantly improved compared to what it had been like. Still there are differences between wired and mobile application usability. Also the demands of current users had become rather high and hard to satisfy. It happened mostly due to the multimedia content shared through the mobile connection.

Each user is now free to choose which network to use: an old one or any kind of the new one. The time of usage is very well important too. Still the bandwidth in wired or wireless network doesn’t differ that much nowadays.

Due to various devices people use in order to get to the network, experts advise to make all portals in 4 different variations suitable for the following devices:

High bandwidth for large screen

  • High bandwidth for small screen
  • Low bandwidth for large screen
  • Low bandwidth for small screen

8 ways to test usability

1. Testing paper prototypes

The paper prototypes let you know just how information will look on the screen of the chosen mobile device without actually using the page… and the real screen. All you have is paper and the removable flexible sheet with data.

Read more

Ten top-hints for the effective ecommerce solution the professional ecommerce developer shall use.

Category: Ecommerce

The ten main features listed below are the most valuable for running the effective ecommerce in the form of the web store:

Existing resources shall be compatible. It’s not easy to run the commercial website nowadays if you don’t obtain the possibility to change the features of the existing system. If the software you’ve chose can be easily linked to the existing hardware of your own including the operating system, you will experience no problems.

The existing data shall be easily imported in the range of ecommerce solution. This is really valuable in aces you’ve got a long list of products and have no intention to download them one by one manually.

The link beaten the Legacy Application and the APIs shall be performed by the ecommerce developer. The really challenging feature here is the link of the finance system and the inventory management.

The ability to work with the virtual shopping cart. This is the basic instrument of the ecommerce, as the customers use it to perform the actual orders and buy goods.

Read more

Database security: things a good compliance officer ought to know

Starting the article, I decided to assume most people are already common with the database development and the details of its organization. Still I realized in the process that sometimes people dealing with the data protection aren’t really well informed about a lot of needful things. As we speak about databases, not all the developers actually know the aspects of the database security, as well as some issues that are security related can easily pass them. Moreover some databases are literally full of rather sensitive information.

So why would the companies through away awesome sums of money to keep their desktops and perimeters secure? Here are the main reasons to do so:

1. “I don’t see so I don’t care”. Usually the databases won’t get our attention unless they get slow or break down.

2. “Cat in a box”. Most compliance officers have no idea, what does actually happen inside the database aside from getting the needed information out of it.

3. “Welcome if you get access”. The feature of DBA is that they stay secure as long as you have the access, they will just go on tuning the performance of the database.

Read more

The Research report from the Application Security: 2011 & Beyond

The completely new study of the Application Security was offered by Forrester Research in April this year. The title of the study is Application Security: 2011 & Beyond, the course was led by well known Dr Chenxi Wang, who takes the position of the lead analyst of the company. He offers the results of multiple valuable researches, as well as several insights and the whole list of useful recommendations given to the professionals working in the security and risk fields. The study was run in the closed form before, yet now it’s opened for the audience and all the people can attend it. Dr Wang hopes it will certainly raise the awareness of the importance of the development in the field of application security.

The sufficient resources were observed in the following report. According to the given information, the application security is still very important for business of all kinds. However though it’s officially considered as the primary priority of all the professionals in IT sector, still a lot off applications have been hacked lately. A lot of important data was taken away or changed drastically.

Read more

The weak points of the system the web database developers shall know

It’s not easy to protect data nowadays; still you will be much more protected if you cover the most visible vulnerabilities. This way your data will be secure.

The main thing is that most of the databases are not protected enough from the very beginning and it’s your trouble to protect them well enough. The administrator shall review the base regularly and close the unneeded packages so they will not appear the hole to dig into the database. The most important is however the regular patch.

Here are the most valuable ten features you shall keep in mind.
1. The password. It shall be complicated enough for the intruders not to break it in a second, leaving your database revealed.
2. SQL. The SQL injection is one of the most popular ways to get to your data and spoil it. Web database developers shall teach the system to avoid accepting all the data coming from the users.

Read more

The review of the Ruby on Rails application security

As we go on analyzing the new version of the well known Ruby in Rails, let’s pay the close attention to the security basis of the units. The fresh feature of the Rails 3 that draws all the attention is the XSS protection. While it has been the additional application before, nowadays it goes as a default one. The first use of this application was within Rails 2; still there the h method was used for application security.

<%= h @comment.text %>

The nature of the h method lies in the total escape from both html and JavaScript.  This way you can be sure no client-side code in any Ruby on Rails application was executed. Though this method is really effective one, still it has a huge disadvantage. The thing is that you must not forget to use the h method each time the user input appears on your screen. If you do not do it even one single time, you will appear to be opened for the extensive XSS attack.

Read more