Application Security by Andrew Hoffman
I'm a software security architect and the author of O'Reilly's Web Application Security book series: one of the most popular introductions to application security (aka, AppSec). Beyond this, I offer consulting services via Andrew Hoffman, LLC, and operate a popular AppSec YouTube channel.
Below you'll find some of my writing on security, engineering and other related topics that interest me.
Trusted Types: Future-proof XSS Defense
Trusted Types is a brand-new browser security feature aimed at eliminating DOM-based XSS by flipping the model from blocklist to allowlist. All dangerous sinks are disabled by default, and developers explicitly enable the ones they need via JavaScript policies. Learn how to implement trusted types by reading this post.
Reachability Analysis: SCA's Killer Feature?
Software composition analysis tools will flag every known vulnerability in your dependency tree, regardless of if they are actually exploitable based on your implementation or not. Reachability analysis filters the noise down to what's really exploitable. This is a primer on reachability analysis.
My Experience Publishing a Technical Book
I wrote and published the popular O'Reilly Media Web Application Security book despite knowing little about technical book publishing when I started. This is the behind-the-scenes walkthrough covering proposals, contracts, editing, marketing, and more. An inside look at writing and publishing with a top publisher.
Intro to Web App Security
A 45-minute talk I gave at a JavaScript conference on the fundamentals of web app security. It covers mapping applications, finding and exploiting common OWASP-10 vulnerabilities, defending against them, and building a security-first culture within an engineering org.
Microsoft Edge Cookie Bypass
I discovered a security vulnerability in Microsoft Edge, caused by an incorrectly defined inheritance chain between the main window document and the HTMLDocument objects created by DOMParser. This writeup describes how an attacker could use it to bypass the browser's cookie-access restrictions.
Sanitize JavaScript Scheme to Prevent XSS
Modern browsers support a long roster of alternate and legacy URI schemes. One of them is javascript:, which attackers can abuse to deliver XSS payloads with ease. This is a comprehensive guide on the risks of the scheme and how to prevent it's exploitation.
Debugging JavaScript in Chrome
One of the biggest hurdles new JavaScript developers run into is learning the tools required to debug their code. This walks through the Chrome DevTools (Elements, Console, Sources, Network, etc) and the workflow tricks that save you real time once you know them.
Aura Component Development Quickstart Guide
A quickstart for writing Salesforce Aura (aka Lightning) components. Covers component structure, controllers, the Salesforce ecosystem context, and how Locker Service (Lightning Locker) provides security by preventing one Aura component from traversing the DOM into another.
Getting Started with BEM
BEM, or Block Element Modifier, is a methodology that helps you build complex CSS components. It's a way of naming your CSS classes to avoid conflicts, improve code organization, scale maintainably, and namespace components cleanly. This post is an intro to the BEM methodology.