Interstell, Inc.

Security, Application Security, and Software Research

Protecting Input: Implement Whitelists

Introduction We all know how important it is to keep malicious content from getting into our websites. Many of the most common attacks the Open Web Application Security Project (OWASP) lists, like Injection, Cross-site Scripting, or Unvalidated Redirects and Forwards, are only possible if the application doesn’t disallow bad content. There’s more than one way to accomplish this, and I’ll present several over the next few blog posts. We’ll start […]

Continue Reading →

Be Good to Your Future Self: Log the Right Stuff!

The next post will have code. I swear! But before we get to actual code, there’s one more foundation element I’d like to discuss: logging! If humans have ever used your applications, you know that logs can help you diagnose problems. It’s pretty obvious that you can get your customers back up and running more quickly with the right log information. But those humble files have much more potential that […]

Continue Reading →

Your New Rosetta Stone: The Security Architecture

What? We’re not coding yet? Not yet. Almost. I promise! This, and one more post, and you’ll start seeing honest to goodness code. PHP and Java. Together at last! To be honest, I think coding’s more enjoyable, too, but you know what? Coding in the wrong direction is a waste of time. Writing code that makes customers’ lives harder is even worse. That’s why I’m presenting the material in this […]

Continue Reading →

The Long Arm of the Law: Legal Compliance

We Have Legal Requirements? Yes, we have legal requirements! I don’t know about you, but as a developer, it’s hard for me to parse legal documents. Programming languages are one thing. I don’t even need to know the language to get the gist of the source code. But show me even the most rudimentary legal document? Even the phrasing doesn’t fit in my brain. Your customers, though, have certain expectations about […]

Continue Reading →

At a New Company? Time to Code, Right? But First…

So, you’ve just started your job as a developer at a new company. Congratulations! Before you dive into writing code, there’s something you should do first: check your company’s information security policy! Wait, what? If you’re like I was back in the day, you want to roll up your sleeves, sit in front of a keyboard, and prove to the rest of the team (or maybe just your boss) that […]

Continue Reading →