But anyway, sure, I hash my passwords with a salt before storing in the database, and yes, I make sure to check for quote marks in SQL query parameters. These are things we all do because it is common practice to do so. Every beginner’s tutorial and guide mentions these things, so we have grown up performing these actions to secure our code. But that doesn’t mean we understand the real dangers behind it. And that in turn means we will likely not notice a closely related but slightly different attack vector that could exploit our code, not to mention other vulnerabilities that aren’t ever mentioned at all except in security related guides (CSRF? XSS??).

The only reason I stumbled into actual web security consciousness was because of some catchy headline in the search results for a totally unrelated query. Gareth’s post about JavaScript hacking immediately appealed to the coder in me. The strange looking mangling of the language was oddly appealing. “How the heck does that still run!”, I thought. It was only after exploring the blog a bit more and the others it linked to did the situation begin to sink in. This was a whole other face of web applications I had never known about. It’s shocking that such a fundamental part had totally escaped me for so long (perhaps some people are just lazy, but I plead ignorance).

“if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.” Giorgio Maone

Where security used to be a reactionary or routine action for me, it was a state of mind for these people. We often hear the cliche of “thinking like a hacker”, but really, security is only valued enough if you are always in that state of mind. They trust nothing! This is something that doesn’t happen quickly, either. Despite hours of reading papers and discussions, my first reaction to seeing a new technology is still “Wow, that would be a cool new feature to implement for users!” Wrong! The security researcher has already thought of several ways it could possibly be vulnerable and is now working out the details.

Once you make the transition in your state of mind, you can begin to make more informed decisions on where to compromise features for security (ehh, now I’m starting to sound like my professor). Of course, not everyone has the capability to keep up with both worlds (that’s where the experts can make their dough), but an understanding of the dangers should at least be mandatory. The battle will always be features and functionality vs. security and privacy, but you should at least know what’s at stake before picking a side (or letting the hacker pick for you).

So, I suppose my reason for starting this blog is to document one developers transition from pure developer to security conscious developer in hopes that someone else might read it and gain something for them self. At my current level of experience, this is probably the best contribution I can give to the field right now. I haven’t seen many blogs easy to digest for beginners of webappsec like me, so I hope this one may help in that regard. Thanks for reading.

(Of course, I’m still going to post other things I come up with or find interesting, but emphasis is on webappsec.)

Install Tor and Privoxy from command line:

sudo apt-get install tor privoxy

Open Privoxy config file:

sudo gedit /etc/privoxy/config

Add this line to end of the file and save:

forward-socks4a / localhost:9050 .

Start both services:

sudo /etc/init.d/tor start
sudo /etc/init.d/privoxy start

Now you can install the Tor Button Firefox extension to turn anonymous browsing on and off with the push of a button. More details (like disabling logs) and things you can do with Tor in Ubuntu here.

I like Prologue because you can post quick Twitter-like updates easily, and I’d rather rather do that than post nothing at all between more involved posts. Yeah, microblogging. I’ve seperated the posts into two categories: the meat and potatoes and the carrots. Odd semantics, sure, but the RSS URLs are interesting.