Application Development: NaCl and Sodium crypto libraries

Security concepts are very important at line of professional Application Development in enterprise scope. Cryptography helps us to achieve Integrity and Confidentiality as 2 of 3 main Security principles. Protocols needs us to encrypt and decrypt important data, specific content have to be signed and verified. For decades we used RSA, OpenSSL [https://www.openssl.org/] as general-purpose cryptography library and its wrappers. On the other hand, OpenSSL is not so easy to work with. It needs both some level of understanding cryptography and its approaches as a whole and pure implementation aspects of OpenSSL, as well. For now, we have much better approaches. Easy to use, but strong at line of cryptography and implementation.


Daniel J. Bernstein (with colleagues) released NaCl library [https://nacl.cr.yp.to/] several years ago. It’s pronounced “slat”. The main goal was to bring easy-to-use solution for software developers, who need just-work cryptography in their projects. Simplicity is the key point of the interface of the framework. On the other hand, it covers all duties of cryptography library and provides all common routines: hashing, public-key encryption, signing and authenticated encryption. E.g., authenticated encryption is an algorithm including 3 steps mixed in one of 3 ways. NaCl provide single interface crypto_box, which is done everything in one step. Such approach is much safer. Developer can’t break something in the flow. Main implementation of the library is in C, C++ and python. C version can be used in embedded Application Development. It doesn’t depend on dynamic memory allocation. There are several implementations of the same function.

Read more

Application Security: Cross-site scripting (XSS)

Professional web development standards are very high nowadays. It doesn’t matter how big your team or budget. Application Security is extremely important for project of any size. Huge software companies may even have separate departments working on security tasks only. There are manual code review of existing solutions, automation of scanning for well-known vulnerabilities by special tools, writing unit and integration tests, research the cases, implementation of modern approaches. On the other hand, if you are sole developer in your startup (or even single contributor at all), you have to spend some time playing this role as well.

Sources of the harmful code

Cross-site scripting or XSS is the most widely exploited security hole in Web. At first sight, it seems not very dangerous for Application Security, because there is no obvious way to harm the system or damage the data on the server side. Generally, the main goal of XSS attack is to execute custom JavaScript code in the browser of the user. To be executed, that code have to pass into the page in some way. There are 2 options for hacker to achieve it. First, and the most known, is saving JavaScript code as a part of Web 2.0 content on the server side provided by users of the service.

Read more

Password Manager is a must-have for both the security and the life

The Number of web sites and services in our daily duties grows from year to year. Each service requires standard user authentication. Generally, Application Security started with login/password pair, for all of us. It’s not easy to remember even dozen strong passwords, particularly if some service is used once per month. Keep in mind, we have to use different passwords. Usage of the same password for many web sites is the most worst thing a user can do at line of Application Security.

OpenID vs. Login/password schema

Modern web sites nowadays uses third-party authentication based on OpenID technology

Read more

Best ways to defend your web applications in 2013

We have to admit that usual ways of securing the application like firewalls are not working now. On the other hand more and more people are now using web applications and this is what shall be defended properly. Let’s see the best ways of how to secure the web application.

The strategy will mostly depend on the structure and architecture of the current application. Remember to test every defending system you come up with.

The main course will be the total agnosticism in the programming language.

The most suited case for the application developers and protectors is the well-known DEV522: Defending Web Applications Security Essentials.

Here is the list of main topics to be discussed there:

  • Application language configuration
  • Application coding errors like SQL Injection and Cross-Site Scripting
  • Infrastructure Security
  • Server Configuration
  • Authentication Bypass
  • Web services and related flaws
  • Authentication mechanisms
  • XPATH and XQUERY languages and injection
  • Business logic flaws
  • Cross-Site Request Forging
  • Web 2.0 and its use of web services
  • Protective HTTP Headers
Read more

Several secrets of mobile application usability

No one can now be surprised with the wireless connection. It’s even more popular today than the standard wired connection, since people tend to stay mobile and in touch with each other all day long. We can now share not only the data, but also are one step away from the full range voice telephony due to 4G technologies.

What are the current problems of mobile web programming?

First of all, they shall become rather quick, since no one wants to wait till the page loads. The current bandwidth has significantly improved compared to what it had been like. Still there are differences between wired and mobile application usability. Also the demands of current users had become rather high and hard to satisfy. It happened mostly due to the multimedia content shared through the mobile connection.

Each user is now free to choose which network to use: an old one or any kind of the new one. The time of usage is very well important too. Still the bandwidth in wired or wireless network doesn’t differ that much nowadays.

Due to various devices people use in order to get to the network, experts advise to make all portals in 4 different variations suitable for the following devices:

High bandwidth for large screen

  • High bandwidth for small screen
  • Low bandwidth for large screen
  • Low bandwidth for small screen

8 ways to test usability

1. Testing paper prototypes

The paper prototypes let you know just how information will look on the screen of the chosen mobile device without actually using the page… and the real screen. All you have is paper and the removable flexible sheet with data.

Read more

Ten top-hints for the effective ecommerce solution the professional ecommerce developer shall use.

Category: Ecommerce

The ten main features listed below are the most valuable for running the effective ecommerce in the form of the web store:

Existing resources shall be compatible. It’s not easy to run the commercial website nowadays if you don’t obtain the possibility to change the features of the existing system. If the software you’ve chose can be easily linked to the existing hardware of your own including the operating system, you will experience no problems.

The existing data shall be easily imported in the range of ecommerce solution. This is really valuable in aces you’ve got a long list of products and have no intention to download them one by one manually.

The link beaten the Legacy Application and the APIs shall be performed by the ecommerce developer. The really challenging feature here is the link of the finance system and the inventory management.

The ability to work with the virtual shopping cart. This is the basic instrument of the ecommerce, as the customers use it to perform the actual orders and buy goods.

Read more

Database security: things a good compliance officer ought to know

Starting the article, I decided to assume most people are already common with the database development and the details of its organization. Still I realized in the process that sometimes people dealing with the data protection aren’t really well informed about a lot of needful things. As we speak about databases, not all the developers actually know the aspects of the database security, as well as some issues that are security related can easily pass them. Moreover some databases are literally full of rather sensitive information.

So why would the companies through away awesome sums of money to keep their desktops and perimeters secure? Here are the main reasons to do so:

1. “I don’t see so I don’t care”. Usually the databases won’t get our attention unless they get slow or break down.

2. “Cat in a box”. Most compliance officers have no idea, what does actually happen inside the database aside from getting the needed information out of it.

3. “Welcome if you get access”. The feature of DBA is that they stay secure as long as you have the access, they will just go on tuning the performance of the database.

Read more

ASP.NET Application development in MVC mode

MVC (Model-View-Controller) is the topic of the variety of introductions in the application security. Before the programmers decide to use the MVC, they shall evaluate the functions of their applications, as this kind of programming differs much from the traditional options. Development of the well known ASP.NET forms is really effective when used on the Microsoft platform. The natural technology offered there is the source of the rapid development. It’s really rich interface for the new ways of ASP. NET application development either.

It’s not hard for the developers to get the modern WYSIWYG interface with the wide range of facilities for life and coding. Some of the important issues are given apart here, so the general coding process is much simpler. The maintenance for performance and testability is broken out sometimes. As the alternative in the field of continuity was needed, the modern MVC model was created. It was the completely new type of development in the Web. As for the Application Security, it appeared to be rather significant there. Te abbreviation of MVC known shortly as Model-View-Controller, appeared to be really popular in the web. Now the business logic was separated from the interface of the user, interacting mostly with databases and services. As the modern ASP. NET application development states, the controller was meant to send the information to the model, which in its turn could display it correctly.

Read more

Application security of .NET Framework 4

.Net Framework 4.0 is the latest example of the .Net development with the serious innovations in security field. There we can see the completely new policy known as Security Transparency. Now it’s the default mechanism.

So what Application Security does the Security Transparency policy offer? First of all it enables you to use the modern Security transparent code, which basically consists of three main parts:
– sandboxing
– permissions
– enforcement

Speaking about sandboxing we usually mean the creation of the isolated domain with the code to be treated in a form of fully trusted version. The other code will get the restricted permission to the sandbox. The code that was chosen to be opened to the sandbox is usually considered to be mostly transparent.  This way you won’t change it while the process of the .Net development.

Read more

The Research report from the Application Security: 2011 & Beyond

The completely new study of the Application Security was offered by Forrester Research in April this year. The title of the study is Application Security: 2011 & Beyond, the course was led by well known Dr Chenxi Wang, who takes the position of the lead analyst of the company. He offers the results of multiple valuable researches, as well as several insights and the whole list of useful recommendations given to the professionals working in the security and risk fields. The study was run in the closed form before, yet now it’s opened for the audience and all the people can attend it. Dr Wang hopes it will certainly raise the awareness of the importance of the development in the field of application security.

The sufficient resources were observed in the following report. According to the given information, the application security is still very important for business of all kinds. However though it’s officially considered as the primary priority of all the professionals in IT sector, still a lot off applications have been hacked lately. A lot of important data was taken away or changed drastically.

Read more