Same Feedback

I learned about OWASP penetration testing fairly recently.

For years I didn't even realize standardized security verification frameworks existed. I'd received vulnerability assessment reports plenty of times but never paid attention what methodology underpinned them. Then I worked on a healthcare project and encountered OWASP ASVS for the first time. Three verification levels. The sensitivity of the data determines how deep the testing goes. Medical data demands the highest level.

Fine. The problem is what the reports actually say.

Every time I receive a security report, familiar findings line up. The Secure attribute is missing on cookies. Cookies that should only travel over HTTPS are also being sent over plain HTTP. I've been hit with this one at least three times in the past decade. Probably four. Each time I think, "Right, this again." Each time I fix it. Each time I do the exact same thing on the next project.

I know why. Local development runs on HTTP. In my defense, every project means a different environment, a different language, a different framework. Set the Secure flag and cookies stop working on localhost. Inconvenient during development, so I disable it. Then ship that straight to production. A flawless pattern.

I finally learned. These days I branch on an environment variable when implementing cookies. False in development, true in production. That's all it took. Ten years to get there.

It wasn't a lack of security knowledge. It was it just took time to turn a known mistake into a systematic fix. No. It was a lack of security knowledge after all.