All articles

Secure development mistakes you might not know you’re making

19 min. read

Shelby Lee Neubeck

Shelby Lee Neubeck

25 May, 2023

Secure Development Lifecycle — Part 1: Mistakes you might not know you’re making

Shield yourself from chaos: the importance of secure development

Are you experiencing these mistakes?

  1. Misconfiguring JWT validation and causing Cross-JWT Confusion
  2. Neglecting preventative measures for different recipient attacks
  3. Using a weak JWT signature
  4. Storing JWT Improperly
  5. Stumbling over OAuth implementation
  6. Not enforcing Object Level Authorization
  7. Providing access or leaking a pathname to a restricted directory
  8. Ignoring security debt
  9. No preventative measures for automated threats
  10. Placing blind trust in countermeasures and safeguards
  11. Neglecting to shield against deserialization vulnerabilities
  12. Failing to properly neutralise or validate inputs
  13. Not properly using cryptography
  14. Lacking preventative measures for cryptographic failures
  15. Utilising unsecure default settings
  16. Lacking proper inventory management
  17. Failing to prioritise threat modelling
  18. Trusting vulnerable or outdated components
  19. Relying on “Security by obscurity” with your hosting development environments
  20. Providing bad error messages or leaking information in error data
  21. Failing to log and monitor incidents properly
  22. Being unprotected against log injection or log forgery
  23. Improper handling of sensitive data in memory
  24. Allowing “Use After Free” vulnerabilities
  25. Not checking resource consumption amounts
  26. Failing to add restrictions for operations within the bounds of a memory buffer
  27. Ignoring vulnerabilities in dependent packages
  28. Using code from other developers without validating
  29. Allowing privilege scaling via insecure API endpoints
  30. Inadvertently revealing secure endpoints to unauthorised users
  31. Failing to see where API is unprotected
  32. Leaving your server vulnerable to server-side request forgery

Facing JWT Anarchy

Misconfiguring JWT validation and causing Cross-JWT Confusion

Neglecting preventative measures for different recipient attacks

Using a weak JWT signature

Storing JWT Improperly

Misusing authorisation, authentication, and privileges

Stumbling over OAuth implementation

Not enforcing Object Level Authorization

Providing access or leaking a pathname to a restricted directory

Insufficiently configuring and designing for security

Ignoring security debt

No preventative measures for automated threats

Placing blind trust in countermeasures and safeguards

Overlooking proper neutralisation and data validation

Neglecting to shield against deserialization vulnerabilities

Failing to properly neutralise or validate inputs

Implementing cryptographic functions weakly or incorrectly

Not properly using cryptography

Lacking preventative measures for cryptographic failures

Under-prioritising the security of deployment and supply chain management

Utilising unsecure default settings

Lacking proper inventory management

Failing to prioritise threat modelling

Trusting vulnerable or outdated components

Relying on “security by obscurity” with your hosting development environments

Inefficiently handling error data, monitoring and reporting processes

Providing bad error messages or leaking information in error data

Failing to log and monitor incidents properly

Being unprotected against log injection or log forgery

Failing to use security measures to resource, memory and data handling

Improper handling of sensitive data in memory

Allowing “Use After Free” vulnerabilities

Not checking resource consumption amounts

Failing to add restrictions for operations within the bounds of a memory buffer

Recklessly using third-party packages and external code

Ignoring vulnerabilities in dependent packages

Using code from other developers without validating

Disregarding API and server-side security measures

Allowing privilege scaling via insecure API endpoints

Inadvertently revealing secure endpoints to unauthorised users

Failing to see where API is unprotected

Leaving your server vulnerable to server-side request forgery

Let’s go forth, improve security, and do better

Continue reading

Understanding SSO with Google: The Advantages & Challenges

3 min. read

Understanding SSO with Google: The Advantages & Challenges

With the power of passbolt and Google SSO, you can use your existing Google credentials to log into passbolt.

Shelby Lee Neubeck

Shelby Lee Neubeck

27 June, 2023

An Inside Look at Passbolt’s First Hackathon

7 min. read

An Inside Look at Passbolt’s First Hackathon

Passbolt had their first ever hackathon. For three epic days, seven teams battled it out, but only one emerged as the ultimate champion.

Shelby Lee Neubeck

Shelby Lee Neubeck

20 April, 2023

Flag of European UnionMade in Europe. Privacy by default.