Archive for November, 2010

Keep a Small Surface – Webapp Isolation

November 11, 2010

Web application developers, in particular ones on a small team, are usually focused on the next feature or getting MVPs out, not security.

When security does come up, the focus is usually mitigating direct webapp attacks. We rely on Django or RoR‘s mechanisms for XSS/CSRF protection and password hashing. We turn to App Engine, Heroku, or traditional hosts for DDoS protection. And so on.

All of that is important and worth doing your due diligence on, but what’s the plan if/when your webapp gets entirely owned?

Here’s a way to mitigate the damages, something that is doable even when you are on a small team or working alone. There are nice side effects, too.

Read More


November 10, 2010

I am no longer adding anything to, that was probably obvious at some point last year. A young child and increasing work responsibilities will do that to you. But a bigger issue with that site than lack of free time was that the topic did not feel right anymore.

Read More