Jacob Kaplan-Moss

Tag: security

My "personal security" plan August 31st, 2007

My personal security plan Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Right now I’m doing a number of pretty stupid things, including reusing just a couple passwords (“high” and “low” security), using browser/keychain password remembering too much, and storing important documents (tax returns, etc.) unencrypted. A co-worker just had his laptop stolen, and I’ve realized just how screwed I could be if that happens to me.…

FAQ: Untrusted users and HTML February 24th, 2009

An input form that takes raw HTML. It’s a pretty common thing to see in web apps these days: many comment forms allow HTML, or some subset thereof; many social-network-style applications allow end-users to enter HTML in their profiles; etc. Unfortunately, allowing untrusted users to enter raw HTML is incredibly dangerous; read up on XSS if you don’t know why. So a common question that comes up in web developer circles deals with how best to “escape” user-entered HTML so that is safe for presentation.…

I've joined Heroku May 13th, 2013

I’ve joined Heroku as their Director of Security. Why? I started as a Heroku skeptic. The first iterations of Platform-as-a-Service left me deeply underwhelmed. “Deploying web apps is hard,” I said, “there’s no way you can just abstract it away like that.” I was wrong. Over the last few years I’ve gone from being a Heroku skeptic, to a user, to a fan, and now — an employee. Perhaps at some later point I’ll write a bit about how my thoughts evolved, but for now I’ll leave it at this: Heroku’s vision of a world where developers are empowered to deliver apps is one I support.…

2016 DBIR Highlights April 27th, 2016

The 2016 edition of Verizon’s Data Breach Investigations Report is out, and as usual it’s compelling reading. The DBIR is one of the only sources of hard data about information security, which makes it a must-read for anyone trying to run a security program in a data-driven manner. What follows are the bits that I found especially interesting, and a bit of my own commentary. Internal threats are rare [T]he Actors in breaches are predominantly external.…

Ratchets & Levers May 19th, 2016

There are a couple of metaphors that tend to guide my thinking about the practice of security: ratchets and levers. Ratchets Dr. Schorsch, CC-BY-SA 3.0, via Wikimedia Commons A ratchet is a kind of one-way gear, with angled teeth and a pawl that allows motion in one direction only. In the physical world we use ratchets to help lift or move heavy loads. Using a ratchet, we can overcome the massive inertia of a heavy object by breaking the movement down into small, easy, irreversible steps.…

Don't include social engineering in penetration tests June 27th, 2017

I’m not a fan of including social engineering – spearphishing, calls to support tickets, office visits – as part of penetration tests. These activities are risky, and often involve borderline and outright inappropriate behavior. Further, they tend not to produce useful results. I encourage you to explicitly forbid social engineering attacks in your pentest scopes. Instead, try simulating the kinds of compromises that social engineering attacks lead to, with an emphasis on detection and response.…

A bit of smart security design from Tiller November 19th, 2018

I’m trying out Tiller (a service that pulls financial transaction data into Google Sheets), and there’s a nifty bit of security design. Instead of its own authentication, you login via Google. This means Tiller doesn’t need to do any account management, and my account’s as secure as my Google account. Like all other services in this sector (Mint, Personal Capital, YNAB, etc), the actual data sync happens via Yodlee. Yodlee is… not great, but it’s at least not worse than what everyone else is doing.…

Articles for r2c: Preventing SQL Injection in Django May 15th, 2020

SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. This article will help you understand and prevent SQLi vulnerabilities in your Django apps.

Articles for r2c: Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020

Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.

Articles for r2c: Bringing Security along on the CI/CD journey January 11th, 2021

Practical ways to bridge the gap between AppSec and Engineering.

Hangar's Dumb Security Questionnaire January 15th, 2021

Over on the Hangar tech blog, I’ve posted our Dumb Security Questionnaire (the questions we ask vendors to evaluate their security maturity). All DSQs are dumb, but I think ours is a little less dumb. If not, at least it’s short.

2021 DBIR Highlights May 18th, 2021

The 2021 edition of Verizon’s Data Breach Investigations Report (DBIR) is out. I read the DBIR every year; it’s one of the only analyses of real-world security failures that approaches any sort of scientific rigor. Here are some of the highlights from the 2021 edition, along with my commentary.

Probably Are Gonna Need It: Application Security Edition July 8th, 2021

My list of “Probably Are Gonna Need It” security features for your web app – things that you should build up-front, not wait until you need them (when it’s already too late).