Software Integrity

Author Archive

David Johansson

djohansson

David Johansson is an Associate Principal Consultant at Synopsys. He has over nine years of experience in software security and has worked as a consultant for several leading IT security companies. David's expertise is in software development and architecture, web security testing, and training developers and testers in security.


Posts by David Johansson:

 

AngularJS 1.6: Life outside the sandbox

AngularJS 1.6 was recently released. With this release comes several impactful changes. One such change to note is the removal of the expression sandbox. This was a predicted change that was first announced in early September. If you haven’t already evaluated the impact of this on your Angular code in preparation for the changes, it’s […]

Continue Reading...

Posted in JavaScript Security, Software Security Testing, Threat Intelligence, Vulnerability Assessment | Comments Off on AngularJS 1.6: Life outside the sandbox

 

Agile vs. security: Resolving the culture clash

Security, including software security, is very much rooted in a control culture. Security concepts such as firewall rules, access controls, and input validation are all about getting and keeping control—we frequently refer to these as security controls. Standardized processes that promote stability and order are also highly valued components of security. This control culture often […]

Continue Reading...

Posted in Agile Methodology, Security Risk Assessment, Software Security Testing | Comments Off on Agile vs. security: Resolving the culture clash

 

Node.js and Socket.IO: How security fails when ‘null’ is ‘false’

I recently discovered an important security issue in Socket.IO—a zero-day vulnerability that allows a man-in-the-middle attack on TLS-protected communication between a Socket.IO client and a Socket.IO server. I find this issue rather interesting because it shows how unfortunate design decisions can unintentionally lead to insecure default configuration. This also highlights the dangers of not following […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Vulnerability Assessment | Comments Off on Node.js and Socket.IO: How security fails when ‘null’ is ‘false’