• Cross-site request forgery is dead (but browser support is needed): scotthelme.co.uk/csrf-is-dead/
• Normal accidents: in extremely complex systems the accidents are unavoidable wikipedia via Troy Hunt
• Putting the relational database model in perspective: there were (and still are) other database models
• The known and unknown unknowns: Donald Rumsfeld’s famous quote used in the context of the ratio of the browser window (a known unknown) and the yet un-discovered security vulnerabilities out-there (an unknown unknown)
• SAML (Security Assertion Markup Language) – the triangle of user, service provider and identity provider: what it is, how it works and why it’s important
• Smashing Magazine is moving to static HTML, advanced JavaScript APIs, progressive web app with a service worker in the background and blazingly fast performance — served from CDN via HTTP/2: next.smashingmagazine.com

Two notes about session hijacking methods:

Difference between stored and reflected XSS attack

Stored or persistent XSS attack – relies on user input stored on the server. Best example – a comment in a news site.
Reflected or non-persistent XSS attack – relies on user input sent in the HTTP query parameters. Best example – site search, showing the keyword after search
Play the XSS game: xss-game.appspot.com

Session fixation

In a nutshell, session fixation means that the attacker obtains a legitimate session ID from the server and then it makes the victim browser to use it. See example.
The counter-measures are quite simple:
– do not accept setting a session id via URL/POST parameters
– change session id after user login
– just use HTTPS and secure cookies, it’s 2017 and HTTPS adoption reached the tipping point

Functional requirements – what a system must do.
Non functional requirements – how the system must behave. On top of performance, usability, maintanability -> security.
CIA – Confidentiality (Privacy), Integrity, Availability + non-repudiation

Attacker levels

– kid-level: unskilled, opportunistic, bragging rights
– malware/ransomware: automated, opportunistic, financial gain
– professional attacker: highly skilled, resources, persistent, adapt to their targets
– nation state level: best skills available, big resources, goals – aligned with the country military/geo-strategic objectives

Vulnerability / exposure / security incident

Vulnerability types: bugs and flaws. Bugs – defects in the development process; could be detected by automated tools. Flaws – defects in the design process; could not be detected by automated tools.
A vulnerability does not necessarily cause an impact. It needs 2 more steps:
– Exposure: if the vulnerability becomes known to an attacker
– Security incident: if the attacker takes advantage of the exposure to perform an attack

Vulnerability assessment: black box vs white box testing
– Black box – no access to the source code, hosting environment, etc
– White box – full access to the source code, hosting, etc

Some principles:

– minimize the attack area
– secure defaults (coding and configuration)
– fail securely (defensive coding)
– give least privilege (need to know)
– multiple layers (ex. encrypted USB key, in a locked safe)
– no security by obscurity
– keep the design simple

Identification, Authentication, Authorization

Identification – who are you?
Authentication – how can you prove who you are?
Authorization – what can you do once authenticated?

Some specifics

– don’t say why the authentication failed (‘wrong username’ -> enumeration, ‘wrong password’ -> brute force attack)
– do not change data on the server via a HTTP GET request
– allow pasting passwords
– do not make the “Log out” option difficult to find
– just use HTTPS