For the past decade I've been a "software developer". But what I really do is develop solutions, which often happen to involve writing some code, but sometimes it doesn't. This post is about advice I used to give to new hires that were fresh out of college or were summer interns. Code Romance I decided to write about this after reading "Why Don't...

The stackoverflow question "How are people managing authentication in Go?" has had a few thousand views. Go's framework's (beego, goji, revel, martini, negroni, gin) do not have anything you should use built-in. Other languages have a common capability for a "classic" password authentication scheme. A "classic" scheme requires a username (could be...

In the book "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" from 2007, the authors Mark Dowd, John McDonald, and Justin Schuh, discuss where to look for common trouble spots that affect all web platforms. They discuss CGI (when a web server used to directly call an executable), Perl, PHP, Java, ASP, and...

Summary: Lower your expectations. In infosec, one definition of an exploit is something that takes advantage of a flaw. To be a "flaw", it must be unexpected behavior, and to "take advantage", it must result in greater privileges. Many discussions of exploits, bypasses, or attacks on white-listing systems show what they would claim is unexpected...

Different languages have certain areas where mistakes are commonly made, and which code auditors focus on. With C, you might grep for strcpy and memcpy. With ruby, you might look for regex that use ^ and $ instead of \A and \z. The use of those functions or idioms are not always vulnerabilities, but are good places to check first. I decided to look...

One of the hardest things about coming to a new language is figuring out which libraries you should use, especially for young languages like Go, where there are a bunch of competing options with no clear winners. As an example, for Node, there was an issue opened for it's npm package manager because there were 127 different bcrypt libraries. This...