I'm excited to say that part

Arne1983 — Tue, 02 Jun 2009 15:25:36 +0000

I'm excited to say that part 2 of my video series is available at www.aachen-method.com. I'm covering Cross-Site Scripting (XSS) and how you can protect your website against it. Over the past couple of weeks I was super busy with my other projects so I couldn't focus on this course, but that's all behind me now and I can work more on this.

Being able to secure your code against CSRF and XSS attacks is a critical skill in being able to charge higher rates as a freelancer, so don't skip these videos.

I also recorded a new introductory video for you where I talk about how people (read: employers) can't help the perception that expensive equals best. This is supposed to serve as a sneak peek of part 3 of my video series and it's a somewhat simplified version of the reality. I'm not suggesting that you should just start charging $500/hour like a lawyer and half a dozen hot chicks will immediately surround you because they will think you are the s***.

I'm also giving a 100% honest explanation on why I'm giving away all this content. Hint: It's not what you think. Definitely watch this video first.

Make sure you sign up for my newsletter so I can notify you right away when I release more killer videos. I promise I won't give your address to anyone and I will never spam you. You can remove your address from the list at any time simply by clicking on the unsubscribe link that is included in every e-mail.

P.S.: Yeah, I'm posting this on a Tuesday afternoon when I'm supposed to be working. I guess I procrastinate way too much.

P.P.S.: Here's the link again: www.aachen-method.com

Securing PHP application is

pulseraiser — Sat, 30 May 2009 14:59:08 +0000

Securing PHP application is an issue for me and i dont know how it could be done. Your videos are very informative as i am a newbie in PHP. Do post more on them.

The good thing about Drupal

RTFVerterra — Wed, 25 Mar 2009 10:15:27 +0000

The good thing about Drupal is me not to bother about security. As long as I am up to date, I can focus on my content and do the things I need to do. If a vulnerability is being discovered, I simply do the upgrade timely and I am secure again. All I have to do is do the upgrade without, and I don't need to know what was the vulnerability, how it works and how the security group deal with it. All I know is I need to do the upgrade.

Your video is good. I am not a pro in public speaking and English is not my everyday language, but I understand you loud and clear. Good luck and thank you for sharing this.

In fact, I received a notice

decibel.places — Wed, 18 Mar 2009 19:20:54 +0000

In fact, I received a notice about a CSRF that was patched in a contrib Drupal module today:

Greg Knaddison (reported by) also creates the excellent "Mastering Drupal" videos (including the free SEO series!)

* Advisory ID: DRUPAL-SA-CONTRIB-2009-010
* Project: Plus 1 (third-party module)
* Version: 6.x
* Date: 2009 March 18
* Security risk: Not critical
* Exploitable from: Remote
* Vulnerability: Cross-site request forgery (CSRF)

-------- DESCRIPTION ---------------------------------------------------------

The Plus 1 module provides a voting widget for content that records votes
using Ajax.

The URL for voting is vulnerable to cross-site request forgeries (CSRF [1])
making it possible for users to unknowingly vote for content.

-------- VERSIONS AFFECTED ---------------------------------------------------

* Versions of Plus 1 prior to 6.x-2.6

Drupal core is not affected. If you do not use the contributed Plus 1 module,
there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you use Plus 1 for Drupal 6.x upgrade to Plus 1 6.x-2.6 [2]

See also the Plus 1 project page [3].

-------- REPORTED BY ---------------------------------------------------------

Greg Knaddison of the Drupal security team.

-------- FIXED BY ------------------------------------------------------------

Greg Knaddison, Ben Jeavons, Neil Drumm, and Caroline Schnapp.

-------- CONTACT -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact [4].

[1] http://en.wikipedia.org/wiki/Csrf
[2] http://drupal.org/node/405672
[3] http://drupal.org/project/plus1
[4] http://drupal.org/contact
_______________________________________________
Security-news mailing list
Security-news@drupal.org
http://lists.drupal.org/listinfo/security-news

Website security is

pr0gr4mm3r — Wed, 18 Mar 2009 01:18:20 +0000

Website security is definitely something n00bs don't focus on enough. SQL injection is another hot topic as well.

Hi Arne, welcome to TWF! I

decibel.places — Wed, 18 Mar 2009 00:35:12 +0000

Hi Arne, welcome to TWF!

I viewed your introductory video and found it quite informative and nearly professional - I plan to come back to learn some more.

I often debate security issues with another member here. Thank you for sharing your knowledge!

My only criticism would be that once in a while you are difficult to understand, a word or two are hard to make out. This does not affect the overall content, but perhaps you could try to talk slower and more clearly. I have been a professional public speaker, and it takes training to learn how to talk to an audience and be understood.

I am sure as time goes on and you become less nervous you will become a pro!

CSRF is one exploit commonly discovered in Drupal contrib modules - I know because I receive the Drupal security reports and often I see that a CSRF vulnerability has been discovered and patched.