Use Spring Security 2 to store your user passwords securely, and authenticate against the secured passwords. This is a companion article to my "Store Passwords Securely" article.

Replicate MySql over an ssh tunnel between separate colos.

Everyone seems to be going through hell to get a fully functional JSF login page working with Spring Security (formerly Acegi,) and yes, I did too, but there’s an EASY way to make this happen. And get this, * It takes just five clear and well written lines of Java code.

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem.

In his latest InsideRIA.com post, Richard Monson-Haefel, Curl's VP of Developer Relations, asks designers, developers, and architects why they didn't choose Curl. Why didn't you choose Curl? Add to the ongoing discussion here.

Watch a PHP Security Zend Webinar and get additional PHP security resources

Checking in with expert Bruce Schneier about the state of security.

There's a symptom of those being introduced to microformats and OpenID; They tend to go cross-eyed in confusion. If you're new to OpenID, you might hear the jargon, most of it starting with the letter "O," and think it's some kind of ancient Gaelic language strung together by a bunch of English conjunctions.

Security in a PHP application includes remote and local security concerns. Discover the habits PHP developers should get into to implement Web applications that have both characteristics.

LDAP (Lightweight Directory Access Protocol) has a reputation for being complicated, but I hope to dispel that myth and explain exactly how LDAP works in this simple introduction of some of the basic concepts..

Protecting passwords is important, but do you take the same care with your SESSIONIDs? You should. Here's how they work: When you log into a web application, you exchange your credentials for a SESSIONID cookie. This cookie gets sent with every subsequent request from your browser until you log out or the session times out. During that window, if an attacker steals your SESSIONID, they have full access to your account.

this is the article describes about how the Gmail is produsing param links for uploaded files

There’s been a thread at the amazon simpledb forums discussing that AWS should implment a crossdomain.xml file. I agree that AWS should open up their public facing services to flex developers by implementing a crossdomain.xml file however, simply implementing a crossdomain.xml file will not address the real problems of authentication and security.

As the web becomes more and more pervasive, so do web-based security vulnerabilities. I talked a little bit about the most common web vulnerability, cross-site scripting, in Protecting Your Cookies: HttpOnly. Although XSS is incredibly dangerous, it's a fairly straightforward exploit to understand. Do not allow users to insert arbitrary HTML on your site. The name of the XSS game is sanitizing user input. If you stick to a whitelist based approach -- only allow input that you know to be good, and immediately discard anything else -- then you're usually well on your way to solving any XSS problems you might have.

With the web and web sites open to everyone -- including malicious hackers -- the security of web applications sits at the top of the list of issues on any web developer's mind. In this eight-part series, we will look at the security concerns of PHP developers, and what they can do to make their web applications more secure.

Stop being a sissy. Every time you sudo a command, you deserve to have your man card taken away.

I am fairly much "in like" with Rails: I have been using it for personal and customer projects for almost 3 years. If Ruby had good runtime performance, I would be happy with Ruby and Rails for most of my development. Because Ruby is such a terse language, it is very easy to read and understand the code and (few) configuration files that Rails generates for you and it is easy to write custom models, controllers, and views - mostly because Ruby is such a fun language to work with.

Recently there has been some buzz as to what Microsoft has up their sleeves for Windows 7, the next version of Windows after the somewhat botched Vista release. Some of the features seem to be mostly evolutionary from those of Vista. Most of the features, though, have yet to be announced. So, what should Microsoft focus on after they get Windows 7 out the door?

It is not usually my custom to comment negatively or nitpick on other people's articles in magazines, especially not in magazines I have written for. This time however, I really must raise my voice to point out a couple of (well, actually a lot of) issues in an article about SQL injection in the current (October/November) issue of the german "PHP Magazin". I stumbled upon this when Pelle Boese of Mobile SEO fame told me about it.

The latest of Stephen Walther's invaluable ASP.Net MVC Tip series points out a MVC scenario that was previously unknown to me: passing cookies and server variables into controllers as action parameters. While the idea is neat, a comment left by Francois Ward echoed my immediate skepticism over whether this could be safe.

JBoss Seam does a long list of amazing things. One that is often overlooked is its Rules-based security system. This system is able to express business security rules in a very direct way, and keep them in an external file which is easy to maintain. However, using JBoss Rules for Seam security requires understanding how the JBoss Rules engine works, how it evaluates rule sets, and how to write a rule set. We go through these questions in detail. After you understand how Seam security with Rules works, we think you'll never be satisfied with plain old role checks again.

It's a valid script, it's nearly impossible to detect and stop, and it will annoy users to no end. What's the answer to stopping scripts that will not only do so reliably, but that will be used by users?

JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized, platform neutral, user authentication and authorization.

Ron Rivest presented his (along with a dozen other people's) new hash, MD6, yesterday at Crypto. I am not a hash guru although I've implemented SHA and its ilk many times, so I can't guarantee all my notes are correct. I will compare it somewhat with SHA as that is what I know.