You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: secure_software_development_fundamentals.md
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3684,7 +3684,18 @@ Some of these settings are only relevant to extremely old browsers. If you only
3684
3684
Cache-Control: no-store, must-revalidate
3685
3685
~~~~
3686
3686
3687
-
You could also consider doing extra double-checks to ensure that any cached data is only being sent to someone authorized to receive it.
3687
+
This is especially a problem because many websites long ignored web standards.
3688
+
The HTTP/1.1 standard, published In 1999, standardized the
3689
+
header to disable writing content to storage
3690
+
("no-store"), However, many websites continued to use only the non-standard
3691
+
mechanisms supported by the Internet Explorer web browser.
3692
+
In 2017 it was found that 70% of tested sites
3693
+
(financial, healthcare, insurance, and utility sites)
3694
+
failed to correctly forbid browsers from storing cached content, because
3695
+
they incorrectly used only the nonstandard request to store cached data
3696
+
["Industry-wide Misunderstandings of HTTPS" by Independent Security Evaluators (ISE), July 12, 2017](https://www.ise.io/casestudies/industry-wide-misunderstandings-of-https/#5d).
3697
+
3698
+
You could also consider implementing extra double-checks to ensure that any cached data is only being sent to someone authorized to receive it.
3688
3699
3689
3700
> 😱 STORY TIME: Cache system vulnerabilities in ChatGPT in 2023
3690
3701
@@ -6059,6 +6070,8 @@ Information Commissioner’s Office (ICO), *Guide to the General Data Protection
6059
6070
6060
6071
International Association for Privacy Professionals (IAPP), *What does privacy mean?* ([https://iapp.org/about/what-is-privacy/](https://iapp.org/about/what-is-privacy/))
6061
6072
6073
+
Independent Security Evaluators (ISE), "Industry-wide Misunderstandings of HTTPS" July 12, 2017, <https://www.ise.io/casestudies/industry-wide-misunderstandings-of-https/#5d>
6074
+
6062
6075
ISO/IEC 9899:2018, *Programming Languages - C* (aka “C17”). This standard is not publicly available; its final draft is publicly available at ([https://web.archive.org/web/20181230041359if_/http://www.open-std.org/jtc1/sc22/wg14/www/abq/c17_updated_proposed_fdis.pdf](https://web.archive.org/web/20181230041359if_/http://www.open-std.org/jtc1/sc22/wg14/www/abq/c17_updated_proposed_fdis.pdf))
6063
6076
6064
6077
ISO/IEC 15026-2:2011, *Systems and software engineering - Systems and software assurance - Part 2: Assurance case* ([https://www.iso.org/standard/52926.html](https://www.iso.org/standard/52926.html))
0 commit comments