Noch nie von #CWE-22, CWE-377, CWE-778 gehört? Dann könnte dein nächster Datei-Upload in #Java zur Sicherheitslücke werden.
@svenruppert hat praktische Abhilfe parat.
Jetzt absichern: https://javapro.io/de/erstellen-einer-einfachen-datei-up-download-anwendung-mit-vaadin-flow/
5,000 subscribers for my monthly newsletter, wow! Thank you, all of you, for learning about #securecoding and #appsec with me! 
The newsletter has come a long way since 2018!
Join free, here: https://twp.ai/4ioqvU
#applicationsecurity
5,000 subscribers for my monthly newsletter, wow! Thank you, all of you, for learning about #securecoding and #appsec with me! The newsletter has come a long way since 2018!
Join free, here: https://twp.ai/4iokiv
#applicationsecurity
My friend Yabing Wang and I are doing a fireside chat about MODERN #AppSec. Yabing wrote '97 things an appsec professional needs to know', she's a CISO, and a great conversation partner!
July 2nd at 9AM PT 
@justworks
#SecureCoding
My friend Yabing Wang and I are doing a fireside chat about MODERN #AppSec. Yabing wrote '97 things an appsec professional needs to know', she's a CISO, and a great conversation partner!
July 2nd at 9AM PT
@justworks
#SecureCoding
If you use AI to generate code, Codacy Guardrails now offers a free tool to enforce security and quality standards in real time.
Not an endorsement or paid promo, just sharing for awareness.
5,000 subscribers for my monthly newsletter, wow! Thank you, all of you, for learning about #securecoding and #appsec with me! The newsletter has come a long way since 2018!
Join free, here: https://twp.ai/4ioRIO
#applicationsecurity
Virtual-friendly Packages available Built for developers + security pros Fun, funny, and full of practical, actionable advice
DM or email me for deets! Tanya [AT] shehackspurple [DOT] ca
#CyberSecurityAwarenessMonth #SecurityAwarenessMonth #SecureCoding #appsec
3/3
With 25+ presentations to choose from, I cover everything from #securecoding and #threatmodeling to AI risks and #AppSec—always with humor, clarity, and actionable takeaways.
These aren’t just talks—they’re lessons your team will remember.
2/3
5,000 subscribers for my monthly newsletter, wow! Thank you, all of you, for learning about #securecoding and #appsec with me! The newsletter has come a long way since 2018!
Join free, here: https://twp.ai/4imzF9
#applicationsecurity
Mini #securecoding lesson: APIs are often where #IDOR vulnerabilities live. They’re scriptable, discoverable, and rarely protected by frontend logic. Even endpoints not visible to users are vulnerable! Attackers use tools like Burp or Postman to find and exploit them. Easily!
Mutable hashCode() in Java keys = recipe for disaster 
#JavaSecurity #HashMap #Java #SecureCoding #Vaadin https://svenruppert.com/2025/06/06/if-hashcode-lies-and-equals-is-helpless/
5,000 subscribers for my monthly newsletter, wow! Thank you, all of you, for learning about #securecoding and #appsec with me! The newsletter has come a long way since 2018!
Join free, here: https://twp.ai/4imz2y
#applicationsecurity
Datei-Uploads in #Java sicher machen?
Schütze dich vor:
- CWE-22 (Path Traversal)
- CWE-377 (Temp File Risks)
- CWE-778 (Insufficient Logging)
Baue mit @svenruppert & #Vaadin sichere Datei-Apps – inkl. NIO, Logging & Security-Fokus: https://javapro.io/de/erstellen-einer-einfachen-datei-up-download-anwendung-mit-vaadin-flow/
for my german reading follower.. published a post about CWE-22 CWE-377 and CWE-778 and how to harden against it. The demo is written in @Vaadin Flow. #vaadin #java #securecoding #cybersecurity #owasp https://javapro.io/de/erstellen-einer-einfachen-datei-up-download-anwendung-mit-vaadin-flow
Is Node.js the future of backend development, or just a beautifully wrapped grenade?
Lately, I see more and more backend systems, yes, even monoliths, built entirely in Node.js, sometimes with server-side rendering layered on top. These are not toy projects. These are services touching sensitive PII data, sometimes in regulated industries.
When I first used Node.js years ago, I remember:
• Security concepts were… let’s say aspirational.
• Licensing hell due to questionable npm dependencies.
• Tests were flaky, with mocking turning into dark rituals.
• Behavior of libraries changed weekly like socks, but more dangerous.
• Internet required to run a “local” build. How comforting.
Even with TypeScript, it all melts back into JavaScript at runtime, a language so flexible it can hang itself.
Sure, SSR and monoliths can simplify architecture. But they also widen the attack surface, especially when:
• The backend is non-compiled.
• Every endpoint is a potential open door.
• The system needs Node + a fleet of dependencies + a container + prayer just to run.
Compare that to a compiled, stateless binary that:
• Runs in a scratch container.
• Requires zero runtime dependencies.
• Has encryption at rest, in transit, and ideally per-user.
• Can be observed, scaled, audited, stateless and destroyed with precision.
I’ve shipped frontends that are static, CDN-delivered, secure by design, and light enough to fit on a floppy disk. By running them with Node, I’m loading gigabytes of unknown tooling to render “Hello, user”.
So I wonder:
Is this the future? Or am I just… old?
Are we replacing mature, scalable architectures with serverless spaghetti and 12-factor mayhem because “it works on Vercel”?
Tell me how you build secure, observable, compliant systems in Node.js.
Genuinely curious.
Mildly terrified and maybe old.
Going Live in 15 Minutes — Come Join Us!
I’m about to tune in for a live ITSPmagazine webinar that dives into a topic I truly care about:
Secure Coding = Developer Empowerment
It’s not just about reducing risk — it’s about investing in developers, boosting velocity, and building better software from the start.
Today – April 18
Hosted by ITSPmagazine
In partnership with Manicode Security
Jim Manico
Jimmy Mesta 
Sean Martin, CISSP
Will be talking about:
Why most developers never get proper secure coding training
How to get leadership buy-in for better dev security
Why this isn’t just security—it’s a career boost
If you’ve got time, join us live. If not, watch it on demand. Either way, it’s a conversation worth having.
Join here:
#ApplicationSecurity, #DeveloperEmpowerment, #SecureCoding, #DevSecOps, #softwaresecurity, #cybersecurity, #infosec, #ITSPmagazine
Runtime instrumentation in Java – with no frameworks at all.
I wrote a REST service using HttpServer and injected logging logic at class-load time using a custom Java Agent and the Instrumentation API.
100% JDK-only
https://svenruppert.com/2025/04/11/open-hearted-bytecode-java-instrumentation-api
htmx makes Razor Pages more interactive—but don’t skip the security checklist. From CSRF protection to request validation, here’s how to keep your htmx apps locked down: https://woodruff.dev/keeping-your-htmx-apps-safe-security-best-practices-for-asp-net-developers/
DNS attacks are not just legacy threats – they’re evolving.
In my new article series, I explore modern DNS attack vectors like cache poisoning, tunneling, hijacking & spoofing – and how we as developers can defend at the protocol edge.
A must-read if you're building Java-based backend systems or securing internal services.
