You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: secure_software_development_fundamentals.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1073,14 +1073,14 @@ If your software manages secrets like private cryptographic keys and passwords,
1073
1073
1074
1074
* Store passwords used for inbound authentication with an algorithm specifically designed to do this. We will discuss these later in the course, but these kinds of algorithms are called *iterated per-user salted hash* algorithms (such as argon2id, bcrypt, or PBKDF2). If done correctly, it is infeasible for an attacker to determine many passwords even if the attacker gets the encrypted password data.
1075
1075
1076
-
* Use **https://** instead of **http://**; that provides an encrypted link to prevent data leakage.
1076
+
* Use **https://** instead of **http://**; that provides an encrypted link to prevent data leakage.
1077
1077
1078
1078
* Avoid accepting and sending secret data (like private keys) as command line parameters, where you can; command line parameters are often visible to other processes on a system.
1079
1079
1080
1080
1081
1081
#### Trust Only Trustworthy Channels
1082
1082
1083
-
In general, only trust information (input or results) from trustworthy channels. For example, use **https://** instead of **http://** when contacting a server, because enables checking if the server has a valid cryptographic certificate for that site. In general you should use **https**, because that will prevent attackers from snooping or modifying information exchanged with other users.
1083
+
In general, only trust information (input or results) from trustworthy channels. For example, use **https://** instead of **http://** when contacting a server, because enables checking if the server has a valid cryptographic certificate for that site. In general you should use **https**, because that will prevent attackers from snooping or modifying information exchanged with other users.
1084
1084
1085
1085
#### Separate Data from Control
1086
1086
@@ -4534,7 +4534,7 @@ Also, beware of implementing these algorithms only on the client side. It is fin
4534
4534
4535
4535
### Transport Layer Security (TLS)
4536
4536
4537
-
Transport Layer Security (TLS) is a widely-used cryptographic protocol to provide security over a network between two parties. It provides privacy and integrity between those parties. TLS version 1.3 was released in 2018. An older and insecure version of this protocol was named Secure Sockets Layer (SSL), and sometimes the terms are used interchangeably. When you use **https://** in a web browser or server today, you are normally using TLS (in rare cases, you might be using its insecure predecessor, SSL). TLS is also used in other applications, for example, to protect exchanges of email between different Mail Transport Agents (MTAs).
4537
+
Transport Layer Security (TLS) is a widely-used cryptographic protocol to provide security over a network between two parties. It provides privacy and integrity between those parties. TLS version 1.3 was released in 2018. An older and insecure version of this protocol was named Secure Sockets Layer (SSL), and sometimes the terms are used interchangeably. When you use **https://** in a web browser or server today, you are normally using TLS (in rare cases, you might be using its insecure predecessor, SSL). TLS is also used in other applications, for example, to protect exchanges of email between different Mail Transport Agents (MTAs).
4538
4538
4539
4539
#### Certificate Validation
4540
4540
@@ -5967,7 +5967,7 @@ Di Paola, Stefano, and Arshan Dabirsiaghi. "Expression Language Injection", 2011
5967
5967
5968
5968
Dulin, Maxwell (ꓘ), Finding an Authorization Bypass on my Own Website, 2022-03-03, (<https://maxwelldulin.com/BlogPost?post=9185867776>)
5969
5969
5970
-
ECMA, ECMA-262, 12th edition, June 2021, ECMAScript® 2021 Language Specification, “The Number Type” ([https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type]((https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type))
5970
+
ECMA, ECMA-262, 12th edition, June 2021, ECMAScript® 2021 Language Specification, “The Number Type” ([https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type](https://www.ecma-international.org/ecma-262/11.0/index.html#sec-ecmascript-language-types-number-type))
5971
5971
5972
5972
Enosuchblog, 2022-12-28, "ReDoS "vulnerabilities" and misaligned incentives", <https://blog.yossarian.net/2022/12/28/ReDoS-vulnerabilities-and-misaligned-incentives>
0 commit comments