I think at minimum you would need to understand which theorems you want to prove about your code, and how to express those in Lean. Otherwise you won’t be able to verify the output. It may have proven some statement…
This is really a self inflicted problem. If you host your backend on the same origin as your frontend (using a reverse proxy) you don’t need CORS at all and you can use the vanilla SOP, and strengthen it further with a…
What is your definition of faster to implement? Is it producing a plausible implementation, or is it faster at producing a correct and high quality implementation? Are you including time spent refactoring and fixing…
With a capable static analyzer that is not true. In many common cases they can deduce the possible ranges of values based on branching checks along the data flow path, and if that range falls within the buffer then it…
If you say you need the data for security reasons that’s all well and good, but then you can only use the data for that specific purpose. So you cannot suddenly start using it for targeted advertising just because you…
Please elaborate why you believe that? The ability to easily rotate encryption keys is considered an anti pattern?
Also, I gave the link to the appendix because there was a specific question about Argon2 parameters. For general developer audiences, they need to look at the standard itself which is a lot more high level about how to…
Yes it’s an audit checklist for when you need to know specifically what to use and with which parameters. It’s unfortunate if there are mistakes in there. The people at OWASP would be very happy to receive feedback on…
Can you give some examples of such commonly used libraries for languages like Java / C# / C++? In my experience there are not many libraries like Google Tink around, and they are not in widespread use at all. Most…
Yes I fully agree. I’m a big fan of libraries like Google Tink that make you pick a use case and use the best implementation for that use case with built in crypto agility. Most crypto libraries are not built like that…
The OWASP ASVS appendix on Cryptography is one of the best and concise resources I know for this kind of thing: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x92-Append...
If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.
If the program has access to the credential, and the program is running on your computer, you also have access to the credential no matter how they try to obfuscate it. What the game dev is supposed to do is have an…
You can set a CSP in the HTML head section using a meta http-equiv tag. It has similar functionality to X-frame-options IIRC.
A dark mode would be nice.
I think at minimum you would need to understand which theorems you want to prove about your code, and how to express those in Lean. Otherwise you won’t be able to verify the output. It may have proven some statement…
This is really a self inflicted problem. If you host your backend on the same origin as your frontend (using a reverse proxy) you don’t need CORS at all and you can use the vanilla SOP, and strengthen it further with a…
What is your definition of faster to implement? Is it producing a plausible implementation, or is it faster at producing a correct and high quality implementation? Are you including time spent refactoring and fixing…
With a capable static analyzer that is not true. In many common cases they can deduce the possible ranges of values based on branching checks along the data flow path, and if that range falls within the buffer then it…
If you say you need the data for security reasons that’s all well and good, but then you can only use the data for that specific purpose. So you cannot suddenly start using it for targeted advertising just because you…
Please elaborate why you believe that? The ability to easily rotate encryption keys is considered an anti pattern?
Also, I gave the link to the appendix because there was a specific question about Argon2 parameters. For general developer audiences, they need to look at the standard itself which is a lot more high level about how to…
Yes it’s an audit checklist for when you need to know specifically what to use and with which parameters. It’s unfortunate if there are mistakes in there. The people at OWASP would be very happy to receive feedback on…
Can you give some examples of such commonly used libraries for languages like Java / C# / C++? In my experience there are not many libraries like Google Tink around, and they are not in widespread use at all. Most…
Yes I fully agree. I’m a big fan of libraries like Google Tink that make you pick a use case and use the best implementation for that use case with built in crypto agility. Most crypto libraries are not built like that…
The OWASP ASVS appendix on Cryptography is one of the best and concise resources I know for this kind of thing: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x92-Append...
If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.
If the program has access to the credential, and the program is running on your computer, you also have access to the credential no matter how they try to obfuscate it. What the game dev is supposed to do is have an…
You can set a CSP in the HTML head section using a meta http-equiv tag. It has similar functionality to X-frame-options IIRC.
A dark mode would be nice.