1. rubendev Oct 24, 2025 parent

   Please elaborate why you believe that? The ability to easily rotate encryption keys is considered an anti pattern?
2. rubendev Oct 22, 2025 parent

   Also, I gave the link to the appendix because there was a specific question about Argon2 parameters. For general developer audiences, they need to look at the standard itself which is a lot more high level about how to properly implement cryptography in software: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x20-V11-Cr...

   For the most common use-cases of cryptography like authentication and secure communication there is more specific, but still high level guidance that is useful for developers as well:

   - https://github.com/OWASP/ASVS/blob/master/5.0/en/0x21-V12-Se...

   - https://github.com/OWASP/ASVS/blob/master/5.0/en/0x18-V9-Sel...

   - https://github.com/OWASP/ASVS/blob/master/5.0/en/0x15-V6-Aut...

3. rubendev Oct 22, 2025 parent

   Which one would you recommend instead? Referring dev teams to NIST standards or the like doesn’t work well in my experience.
4. rubendev Oct 22, 2025 parent

   Yes it’s an audit checklist for when you need to know specifically what to use and with which parameters.

   It’s unfortunate if there are mistakes in there. The people at OWASP would be very happy to receive feedback on their GitHub I’m sure.

5. rubendev Oct 22, 2025 parent

   Can you give some examples of such commonly used libraries for languages like Java / C# / C++?

   In my experience there are not many libraries like Google Tink around, and they are not in widespread use at all. Most applications doing encryption manually for specific purposes still have the words AES, CBC, GCM, IV etc hardcoded in their source code.

   If you review such code, it’s still useful to have resources that show industry best practices, but I agree that the gold standard is to not have these details in your own code at all.

6. rubendev Oct 22, 2025 parent

   Yes I fully agree. I’m a big fan of libraries like Google Tink that make you pick a use case and use the best implementation for that use case with built in crypto agility.

   Most crypto libraries are not built like that however. They just give you a big pile of primitives/algorithms to choose from. Then frameworks get built on top of that, not always taking into account best practices, and leave people that are serious about security the job of making sure the implementation is secure. This is the point where you need something like ASVS.

7. rubendev Oct 22, 2025 parent

   The OWASP ASVS appendix on Cryptography is one of the best and concise resources I know for this kind of thing: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x92-Append...
8. rubendev Mar 24, 2025 parent

   If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.
9. rubendev Nov 5, 2024 parent

   If the program has access to the credential, and the program is running on your computer, you also have access to the credential no matter how they try to obfuscate it.

   What the game dev is supposed to do is have an account system on their backend, and ask the player to enter their credentials in the game. The game can then identify itself as this player to the backend servers. That way any actions on the backend can be attributed to a particular player and you have a good basis to make security decisions on.

10. rubendev Sep 1, 2024 parent

    You can set a CSP in the HTML head section using a meta http-equiv tag. It has similar functionality to X-frame-options IIRC.
11. rubendev Jul 25, 2022 parent

    A dark mode would be nice.

This user hasn’t submitted anything.