Application Security Weekly for September 8

Only Rails 6.x and 5.2.x are getting security updates.  Plan your development accordingly.

https://rubyonrails.org/security/

Jason Karns was kind enough to pass along this awesome upgrade helper for Rails:

https://blog.testdouble.com/posts/2019-09-03-3-keys-to-upgrading-rails

 

I regularly write apps up for failure to disable autofill, and this article is a good explainer.

https://www.social-engineer.com/disable-autofill-browsers/

 

Bruce has a really good set of reasoning on why there is no difference between "commercial" encryption and "consumer" encryption.

https://www.schneier.com/blog/archives/2019/08/the_myth_of_con.html

 

iOS doesn't get a lot of malware love because it's only 12% of the phone market, but the bad guys realized that 12% has a lot of money, so here are a BOATload of exploits that Google found them.

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1

 

I also write folks up for clickjacking a lot, and it is making a comeback.  It's just a header people, add it.

https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/

 

Some RCE flaws discovered in PHP. Update if you can, mitigate if you can't.

https://thehackernews.com/2019/09/php-programming-language.html?m=1

 

That's the news.  Stay safe.

 

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList