The Register Columnists

Jeff Williams

Contact Mail Follow RSS feed
The Register breaking news

Denial, exposure and online security

Web applications have huge attack surfaces. Most sites have hundreds of URLs, and each function has plenty of parameters, form fields, cookies, and headers for attackers to play with. One simple way to make your web application more secure is to minimize your attack surface. Let's look at five simple ways to do this. Tighten …
Jeff Williams, 11 Nov 2008
The Register breaking news

Attention developers: Your SESSIONIDs are showing

Protecting passwords is important, but do you take the same care with your SESSIONIDs? You should. Here's how they work: When you log into a web application, you exchange your credentials for a SESSIONID cookie. This cookie gets sent with every subsequent request from your browser until you log out or the session times out. …
Jeff Williams, 29 Sep 2008
The Register breaking news

Cross-site hacks and the art of self defence

Hackers can force your browser to send requests to any site they want. It's not even hard - all they have to do is get you to view an email or a web page. Unless the site is specifically protected against this - and almost none are - then attackers can make your browser do anything you can do, and they can use your credentials …
Jeff Williams, 29 Aug 2008
homeless man with sign

Rich data: the dark side to Web 2.0 applications

All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services. Unfortunately, richness affords attackers an …
Jeff Williams, 1 Aug 2008
The Register breaking news

Time to dismount the hamster security wheel of pain

Enterprises are spending a huge amount of effort scanning for vulnerabilities that they already know are in their applications. Here's a little secret: there's no point in scanning if you haven't at least tried to put in a basic set of defenses. You already know you're vulnerable. So what kinds of defenses does the average web …
Jeff Williams, 23 Jun 2008

Too much code, too few application security specialists

Agile dominates software development. According to Scott Ambler, a prolific author of books on the subject in addition to being IBM's agile development practice lead, 69 per cent of organizations already use agile in one or more projects. Twenty four per cent of the rest are planning to start in the next year. Unlike …
Jeff Williams, 28 May 2008

The trinity of RIA security explained

The phrase "Rich Internet Applications" has become a popular term for applications that run inside your browser or on your desktop and that interact with web applications or web services. RIA platforms include JavaScript (part of the AJAX umbrella), Adobe System's AIR, Microsoft's Silverlight, Java applets, and Java JFX from Sun …
Jeff Williams, 8 Apr 2008
Stop sign

Reduce your exposure to AJAX threats

Fundamentally, there's nothing terribly new about the problems posed by Asynchronous JavaScript and XML (AJAX) when it comes to security, we just need to apply some good old security principles to this new technology. The problems occur because, unfortunately, there are an awful lot of devils hidden inside the details. One …
Jeff Williams, 18 Feb 2008
Stop sign

Stay ahead of Web 2.0 worms

Think you've protected your web applications from cross-site scripting (XSS) vulnerabilities? The odds are against you. Roughly 90 per cent of web applications have this problem, and it's getting worse as web applications and web services share more and more data. Many frameworks and libraries are encoding, decoding, and re- …
Jeff Williams, 7 Jan 2008

Biting the hand that feeds IT © 1998–2018