Illustration of thief with bag over his shoulder and the word XSS

The X in XSS

I’ve mentioned Cross-Site Scripting, aka XSS, in some of my previous posts. And I’m sure you’ve heard of it as well.

XSS is often categorised as either reflected XSS or stored XSS. And then DOM-based XSS was added. OWASP now categorises XSS as:

  • Client XSS
  • Server XSS

Both of these can be either reflected or stored, which can make it all a little confusing.

Continue reading
Hand holding disinfectant and spraying it

How clean is your data?

You might have heard the term “data sanitisation” applied to devices. We need to permanently remove data on portable storage devices and hard drives before we get rid of them.

But today I want to talk about a different form of data sanitization: input sanitisation.

The question you need to answer is this:
How clean is the data that you are saving in your application?

Continue reading
Security alert

When do you know if something went wrong?

This is a very important question.

How do you know if something has gone wrong, or if your site has been compromised?

The answer is that, unless you are logging and monitoring events, you don’t know.

If you read about major data breaches, you’ll notice that often the data breach might have been going on for years. The companies only noticed it when someone complained.

According to a 2020 IBM Security study, companies in South Africa took on average 177 days to identify a data breach. That might not be years, but it is still way too late.

Continue reading