A mid-January warning from the US National Security Agency about a critical security flaw in how the Windows operating system validates cryptographic certificates. As these certificates underpin how TLS (transport layer security) protects the internet at large, it’s essential to understand both what happened and how your development team can avoid similar mistakes.

While no list regarding security, risks, or best practices can ever be exhaustive, they often serve as decent starting points. Understanding some of the most common classes of security mistakes is a great way to begin a conversation about total application security. The following seven security risks are critical to any application development team; they’re easy mistakes to make but are equally easy to avoid if you keep your eyes open

The goal of any encryption operation is to scramble the patterns in the plaintext source data and otherwise protect its contents by rendering a specific message indistinguishable from random noise. A cryptographically-secure algorithm or implementation is one that can be mathematically proven to render data in such a state—there is no mathematical way to analyze […]

By Eric Mann Most self-taught developers in our industry learn to leverage an API long before they spend time learning lower-level coding patterns. This experience isn’t necessarily a bad thing. All the same, it’s important to take some time to dig deeper and better understand the tools and technologies at the core of our trade. […]

As early as 2018, many governments began calling for the tech community to create so-called “responsible encryption.” Their goal is for tech companies to provide blessed “back doors” for law enforcement to decrypt and otherwise inspect messages and data created by citizens within their borders. These calls and the arguments made to support them, however, […]

Computers are deterministic by nature, so we need to leverage purpose-built random number generators to introduce unpredictability into the system.

The first step to protecting your system is to understand the actions, behaviors, and motivations of those who would potentially breach and damage that system. Learning to think like an attacker is excellent. Mastering the tools attackers are likely to use on your platform is even better. The question isn’t that they’ll get in, it’s what exactly they’ll do once they’ve breached your system.

When many people think about security, they naturally think about attacks from external threats and entities. They may originate outside of the application, network, or even organization. What we often fail to realize is the most critical threat is often users already inside your system.

Managing passwords in userland is complicated. Luckily, consumer tools like 1Password and LastPass make it easier than ever to protect user credentials. Unfortunately, this doesn’t help with the credentials used by our servers or code. The ways developers manage application credentials are legion; some are right, others fatally flawed.

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past.