Security is an important topic and everyone knows it. This post is about a curious social behavior around implementing security procedures that often works against incremental improvement of security. Continue reading
Tag Archives: security
Public or Private Member Variables?
When is it OK to make member variables public? Continue reading
SSO: What is it?
Single Sign On (SSO) is a term that is used and abused in the industry. Most of us think we know what it means — and most of us do, but still many of us have a slightly different and occasionally incorrect interpretation. There are some side issues and assumptions. This is an exploration around what must be included in a SSO framework. Continue reading
Securing against Cross-site Request Forgery
There is a type of attack (CSRF) that every form post is susceptible to. User 1 is logged into a site A and has a valid session. User 2 then sends an email message with a form post to site A, or a link to a rogue web page with a form post to site A. Since the session is maintained in cookies, this new form post will be accepted by the server as a valid part of the current session. In this way, User 2 can make User 1 make changes in the Site A that User 1 was not expecting. Continue reading
Working Around Java’s SSL Limitations
The Java run-time environment (JVM) is able to support connections to other servers using SSL, but it has this very inconvenient behavior of refusing to connect to self-signed servers. A self signed server has the public key necessary to ensure private communications, but does not have a certificate that proves who it is. In the default mode of operation, when connecting to such a server, Java SSL subsystem with throw an exception and prevent all communications. But there are good reasons why a service that you want to communicate with privately may not have a certificate, and this post tells you how to accomplish this. Continue reading