Keeping up with the Joneses on modern day web security is a daunting task.
Most companies do not have internal security researchers. It is expected that developers should know cryptography, even though I’m sure we can all agree that we only know insomuch as to prevent attacks and vulnerabilities known to us. You’re probably as likely to have a security vulnerability in your application as you are a bug in your codebase. I’ve been building web applications professionally for nearly a decade and just this past year I learned about flaws in commonly reused code such as timing attacks in HMAC based authentication due to the usage of string comparisons. Continue reading