Software Integrity Blog

Author Archive

David Johansson

djohansson

David Johansson is an associate principal consultant at Synopsys. He has over nine years of experience in software security and has worked as a consultant for several leading IT security companies. David's expertise is in software development and architecture, web security testing, and training developers and testers in security.


Posts by David Johansson:

 

AngularJS 1.6: Life outside the sandbox

AngularJS 1.6 was recently released. With this release comes several impactful changes. One such change to note is the removal of the expression sandbox. This was a predicted change that was first announced in early September. If you haven’t already evaluated the impact of this on your Angular code in preparation for the changes, it’s high time to do so. Is your code mature enough to survive life outside the sandbox? The answer is so simple that it might surprise you–life outside the sandbox is no different than life inside. It should have no impact on the security of your AngularJS application. You see, Angular expressions weren’t sandboxed for security reasons in the first place. It was not intended to act as a security boundary. Therefore, the various ‘sandbox escapes’ published by security researchers were never considered to be vulnerabilities. Even so, the Angular team continued patching the sandbox until the recent release of 1.6.

Continue Reading...

Posted in General | Comments Off on AngularJS 1.6: Life outside the sandbox

 

Agile vs. security: Resolving the culture clash

Security, including software security, is very much rooted in a control culture. Security concepts such as firewall rules, access controls, and input validation are all about getting and keeping control—we frequently refer to these as security controls. Standardized processes that promote stability and order are also highly valued components of security. This control culture often causes friction when security is introduced in agile development teams that have a very different culture. Working with the culture, not against it Agile software development is more about culture than a set of processes, although it is often mistaken for the processes it is associated with (e.g., scrum). The values and beliefs that define the idea of agile are described in the Agile Manifesto. This manifesto does not define a specific development process, but rather the values and priorities that underpin agile software development. There’s an important difference between being agile and doing agile. In Michael Sahota’s book An Agile Adoption and Transformation Survival Guide, the difficulties of adopting agile in a company culture that isn’t aligned with the agile culture of collaboration and cultivation is explored. One particularly interesting detail is that imposing agile principles in a control culture often fails due to the different, and sometimes opposing, mindsets in these cultures. Likewise, I believe that imposing traditional software security processes rooted in the control culture on a development team upholding values aligned with the Agile Manifesto runs the risk of failure due to this culture clash.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Architecture and Design | Comments Off on Agile vs. security: Resolving the culture clash

 

Node.js and Socket.IO: How security fails when ‘null’ is ‘false’

I recently discovered an important security issue in Socket.IO—a zero-day vulnerability that allows a man-in-the-middle attack on TLS-protected communication between a Socket.IO client and a Socket.IO server. I find this issue rather interesting because it shows how unfortunate design decisions can unintentionally lead to insecure default configuration. This also highlights the dangers of not following secure design principles.

Continue Reading...

Posted in Open Source Security, Software Architecture and Design | Comments Off on Node.js and Socket.IO: How security fails when ‘null’ is ‘false’