We’ve got a long digest this week!

What Is Structured Logging and How to Use It

First, to learn what structured logging is, you must take a step back and understand what exactly is unstructured logging. With unstructured logging, events are expressed in plain text—in other words, plain English (or another language). The assumption here is that humans are the main target audience for logs, which isn’t always the case. For instance, being able to search through your log files to find all occurrences of a given event is valuable if you’re trying to troubleshoot some issue or investigating a concerning trend. Structured logging makes this easier by generating logs in more easily parsable formats—such as JSON and XML. This way, you can treat your log events as data rather than mere text. Find out more about structured logging from Carlos Schults on Solarwinds’ blog. 

NodeJS Command Injection: Examples and Prevention

Modern websites can be complex pieces of software. They can have multiple moving parts spread across many environments. If your application isn’t secured effectively, then each of these environments can pose as a unique attack surface for exploiting command injection vulnerabilities. In this post, you’ll learn about command injection vulnerabilities when working with shell command functions in NodeJS. You can also explore a few techniques to use to better protect ourselves from these types of attacks. Learn more from John Pereira on Stackhawk’s blog.

NodeJS Content Security Policy Guide: What It Is and How to Enable It

Building a solid web application requires an extensive understanding of fundamentals in developments, infrastructure, and security. Ensuring the stability of our platforms and the security of our users’ information is a critical matter that is getting more complex and sensitive over time. With every passing year, threats get more abundant and complex, so to mitigate this, software companies are incorporating more sophisticated and robust solutions. Developers have a responsibility to ensure that we take advantage of these solutions and adapt our software to comply with the policies and implement the necessary measures. One of such measures is Content Security Policy or CSP. Dive into content security policy in this post written by Juan Reyes on Stackhawk’s blog.

Rust CSRF Protection Guide: Examples and How to Enable It

Cross-site request forgery (CSRF) attacks are elaborate schemes by hackers to carry out a wide range of forgery requests within unsuspecting users’ online accounts. These requests can be financial transactions, stealthy account coup d’état campaigns, or even just the deletion of sensitive data. With so many people invested in cryptocurrency (often built on the Rust-lang Ethereum client), the threat of Rust CSRF attacks can cost millions of dollars at a time. This post explores how liable Rust applications are to CSRF attacks and includes attack examples, vulnerability analysis, and prevention advice. Check out this post from Taurai Mutimutema on Stackhawk’s blog. 

Angular CORS Guide:Examples and How to Enable It

One of the key tasks of a front-end developer is integrating back-end APIs. However, a lot of times your front-end application needs to communicate with a server that’s of a different origin. This could be your own server or a third-party application programming interface you need in your application. In all these cases, you may often run into a cross-origin resource sharing (CORS) error. But what exactly is CORS? And how can you interact with your back-end services in a hassle-free way? In this post, Siddhant Varma talks about what CORS is and how you can enable it in your Angular application. Check it out on Stackhawk’s blog. 

NodeJS CORS Guide: What It Is and How to Enable It

Web browsers prevent unknown websites from accessing your application programming interfaces and services. This way, your server shares its resources only with clients that are on the same domain. However, there are situations where you want to lift this guard or get more fine-grained control over which websites access your server’s resources. In such cases, you implement CORS (cross-origin resource sharing) on your server. In this post, Siddhant Varma talks about what CORS is and why it’s useful. You’ll also learn how you can enable CORS in your NodeJS application. You can also learn more about the basics of CORS here. Find out more on Stackhawk’s blog.

Laravel Content Security Policy Guide: What It Is and How to Enable It

The strength and versatility of modern browsers that enable powerful web applications can turn into a security nightmare. We previously covered security issues like cross-site-scripting (XSS), SQL injections, and path traversals. The ability to run custom or third-party code leads to unwanted behavior and data leaks. Browsers have a same-origin policy that prevents the execution of some third-party content by default, and developers can use cross-origin resource sharing (CORS) to control this behavior. In this post, Lukas Rosenstock gives you a look at a broader and more versatile tool to increase the security of web applications: the content security policy (CSP). Check it out on Stackhawk’s blog. 

Rails Content Security Policy Guide: What It Is and How to Enable It

The process of developing web applications demands a thorough understanding of the fundamentals of web security. Every year, security threats get more complex, and so to mitigate this, software companies are consolidating advanced and robust security solutions. Content Security Policy, or CSP, is one such measure. This article aims to make the concept of content security more accessible by briefly defining what CSP is, demonstrating how to enable CSP in Rails, examining common errors you might encounter, and helping you address them. Find out more about it from Juan Reyes on Stackhawk’s blog. 

Golang Path Traversal Guide: Examples and Prevention

Golang consistently features among the top 10 programming languages in use across developer communities. This popularity also makes Go applications prone to all the vulnerabilities on OWASP’s prevalent web application exploits list. Although not on the list, Golang path traversal is a vulnerability worth getting to know and patching applications against before it becomes their ruin. Learn all about Golang from Taurai Mutimutema on Stackhawk’s blog.

What is a Software Bill of Materials (SBOM)?

Software programs today frequently have a long list of third-party components. To maintain security and performance, companies must carefully track and manage each one. To monitor these components, software engineers often use a software bill of materials (SBOM). This machine-readable list contains all of the various items and dependencies contained in a piece of software. Keep reading to learn why SBOMs are important and, specifically, how you can use them to improve the way your company develops and maintains software. Get a deep dive into SBOMs from Justin Reynolds on Sonatype’s blog.

Incremental Loading: The Smarter Way to Update Data

A data warehouse aims to make sense of a specific subject over time by analyzing historical data. This system, also called the decision-making support system, can tackle trends as diverse as the percentage of client churn or beer consumption trends within a geographical area. Incremental loading is one of those crucial issues you need to consider when defining your load pipelines. In this post, Daniel Paes explains what incremental loading is and why it’s so important. Find out all about it on Panoply’s blog.

Rust Path Traversal Guide: Example and Prevention

While a lot of developers are turning to Rust-lang for its long list of benefits, it has its fair share of caveats. For instance, new developers will associate built-in memory safety with overall Rust applications security. This often leaves Rust applications vulnerable to a wide range of attacks. Of particular interest to this post is the Rust path traversal vulnerability. This guide will take you through the various path traversal vulnerabilities that Rust applications are susceptible to. Find out all about Rust path traversal vulnerability in this post from Taurai Mutimutema on Stackhawk’s blog.

React Open Redirect Guide: Examples and Prevention

From payments and password resets to downloads, website redirections are everywhere. They’re a popular way to perform background actions and navigate users to the relevant pages after the action is complete. However, with a subtle blend of social engineering, attackers could use your website’s redirection feature to steal your users’ data. Open redirect is a vulnerability that allows an attacker to control your website redirections. But what exactly is open redirection, and how can you prevent it? In this post, you’ll understand what open redirections are and how you can prevent them in your React application. Dive deep in this post from Siddhant Varma on Stackhawk’s blog.

Rails HTTP Strict Transport Security Guide: What It Is and How to Enable It

Implementing a solid security layer for our applications and assuring necessary rules have become a required step for the web in the last decades. Of course, we can’t claim that 100% of the web is protected against the myriad of threats popping up everywhere. Nevertheless, there is a real push from many fronts to keep perfecting security measures on the web. That being said, not all security features are made the same way or have the same impact to protect our users. For example, one of the most essential features to protect our users is HTTP Strict Transport Security or HSTS. This article from Juan Reyes aims to examine HSTS in the context of Ruby on Rails. Find out more on Stackhawk’s blog. 

Node.js HTTP Strict Transport Security Guide: What It Is and How to Enable It

For developers, security measures and policy enforcement are a regular routine for our projects. Having a sound security layer and ensuring basic protocols have become the bread and butter for all client-facing platforms. We can’t say that 100% of the web is secured adequately from the myriad of threats out there. But we can confidently say that most efforts are pushing the needle in that direction. That being said, not all security features have the same impact or protect the users in the same way. One such feature is HTTP Strict Transport Security or HSTS. This article from Juan Reyes will briefly define what HTTP Strict Transport Security is on Stackhawk’s blog. 

What Is End To End Testing? A Helpful Introductory Guide

We also updated a post this week on end to end testing. No company would release a piece of software without testing it. But there are many ways of testing software. End to end testing is one way. It might even be the most important way, though often the most time- and resource-intensive one. Luckily, there are ways to automate end to end tests. In this post, you can learn not only what end to end testing is, but how it fits into an overall testing strategy that can benefit every organization. Check it out on Testim’s blog.