RSS

Tag Archives: security

Security Absolutism is the Enemy of Security Improvement

Security is an important topic and everyone knows it.  This post is about a curious social behavior around implementing security procedures that often works against incremental improvement of security. Read the rest of this entry »

Advertisements
 
Leave a comment

Posted by on April 9, 2014 in Design

 

Tags: ,

Public or Private Member Variables?

When is it OK to make member variables public? Read the rest of this entry »

 
Leave a comment

Posted by on February 7, 2014 in Coding

 

Tags: , , ,

SSO: What is it?

Single Sign On (SSO) is a term that is used and abused in the industry.  Most of us think we know what it means — and most of us do, but still many of us have a slightly different and occasionally incorrect interpretation.  There are some side issues and assumptions.  This is an exploration around what must be included in a SSO framework. Read the rest of this entry »

 
Leave a comment

Posted by on December 1, 2012 in Design

 

Tags: , , ,

Securing against Cross-site Request Forgery

There is a type of attack (CSRF) that every form post is susceptible to.  User 1 is logged into a site A and has a valid session.  User 2 then sends an email message with a form post to site A, or a link to a rogue web page with a form post to site A.   Since the session is maintained in cookies, this new form post will be accepted by the server as a valid part of the current session. In this way, User 2 can make User 1 make changes in the Site A that User 1 was not expecting. Read the rest of this entry »

 
Leave a comment

Posted by on June 12, 2012 in Design

 

Tags: , ,

Working Around Java’s SSL Limitations

The Java run-time environment (JVM) is able to support connections to other servers using SSL, but it has this very inconvenient behavior of refusing to connect to self-signed servers.  A self signed server has the public key necessary to ensure private communications, but does not have a certificate that proves who it is.  In the default mode of operation, when connecting to such a server, Java SSL subsystem with throw an exception and prevent all communications.  But there are good reasons why a service that you want to communicate with privately may not have a certificate, and this post tells you how to accomplish this. Read the rest of this entry »

 
5 Comments

Posted by on October 16, 2011 in Example Code

 

Tags: , ,