I have been toying with the idea of starting a security blog for some time now. Today, again, was talking to my colleagues and at least one of them thinks it is a great idea.
I always look with horror at what passes as security “features” proposed to the people who just start writing websites. The frameworks are no better, they usually have a long outdated set of functions. Or some of them are defective by design. And there seems to be no place on the whole Internet to turn for help. You would not e-mail Bruce Schneier every time you need to make a password hash, would you?
So I think there must be a place where people can turn to for some information on how the proper security is built. How the user authentication should be set up, how the passwords are stored, what is a good and a bad implementation of “remember me” function and so on. Something has to be done to improve the security of all those start-up website coming online by the thousand every day. Even old companies, like LinkedIn and Citibank, get hacked because they do not do it right. The help on security must be provided somehow, somewhere.
Isn’t there such a place already?… -->continue reading →