Announcing the release of a new version of the OWASP WSTG.

Image for post
Image for post

I’m very happy and proud to share that the Open Web Application Security Project (OWASP) Web Security Testing Guide v4.2 is now available! This update is the result of a lot of hard work by the repository team and many dedicated contributors. With a team like this, I’m honored to be a core maintainer and co-author.

Here’s a reprint of the announcement I wrote for If you’re interested in security testing for web applications and APIs, this is an update you’ll definitely want to check out!

You can become a contributor yourself by joining us on GitHub!

The OWASP Web Security Testing Guide team is proud to announce version 4.2 of the Web Security Testing Guide (WSTG)! In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests. …

Building a responsive website with color themes? Better start at the root

Laptop with design software
Laptop with design software
Photo by NordWood Themes on Unsplash.

If you happen to visit my website, you may notice I’ve spruced it up a bit. can now better respond to your devices and preferences!

Here’s how to use CSS media queries and custom properties to improve your visitor’s browsing experience with just a few lines of CSS.

Catering to Color Preferences

The prefers-color-scheme media feature can be queried to serve up your user’s color scheme of choice. The light option is the go-to version if no active preference is set, and it has decent support across modern browsers.

Additionally, users reading on certain devices can also set light and dark color themes based on a schedule. For example, my phone uses light colors throughout its UI during the daytime and dark colors at night. …

How to build your own newsletter list with DynamoDB and SES email signup confirmations

Card inside envelope
Card inside envelope
Photo by Rinck Content Studio on Unsplash.

Here’s how I lovingly built a subscription signup flow with email confirmation that doesn’t suck. You can too.

Introducing Simple Subscribe

If you’re interested in managing your own mailing list or newsletter, you can set up Simple Subscribe on your own AWS resources to collect email addresses. This open source API is written in Go and runs on AWS Lambda. Visitors to your site can sign up to your list, which is stored in a DynamoDB table and ready to be queried or exported at your leisure.

When someone signs up, they’ll receive an email asking them to confirm their subscription. This is sometimes called “double opt-in,” although I prefer the term “verified.” Simple Subscribe works on serverless infrastructure and uses an AWS Lambda to handle subscription, confirmation, and unsubscribe requests. …

Which one should you be using? Why Wi-Fi security matters.

Image for post
Image for post
Illustration by author.

Setting up new Wi-Fi? Picking the type of password you need can seem like an arbitrary choice. After all, WEP, WPA, WPA2, and WPA3 all have mostly the same letters in them. A password is a password, so what’s the difference?

About 60 seconds to billions of years, as it turns out.

All Wi-Fi encryption is not created equal. Let’s explore what makes these four acronyms so different, and how you can best protect your home and organization Wi-Fi.

Wired Equivalent Privacy (WEP)

In the beginning, there was WEP.

Basic security best practices to share with your non-technical friend.

Image for post
Image for post

Readers of my blog typically know more about technology and cybersecurity than most people. This article is for most people. If someone you know could benefit from a simple and straightforward cybersecurity starter pack, please share this article with them — it benefits everyone!

My articles are evergreen, but this note is not. If you’re reading this, it means you can still get 3 extra months free with ExpressVPN for Black Friday.

If you’ve ever said to yourself:

“There’s no one targeting lil ol’ me.”

“I have nothing to hide, anyway.”

“I’m too busy to learn all this stuff. Why can’t someone just give me a simple summary of best practices that I can skim in approximately seven minutes?”

The lesser-known risks of ISPs and why I chose ExpressVPN.

Image for post
Image for post

Most people know that a VPN is meant to protect your privacy on public or open Wi-Fi. A lesser-known purpose is to protect your privacy right in your own home, from your own internet service provider (ISP).

A set of Federal Communications Commission (FCC) rules entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” were unfortunately struck down in 2017. These rules would have prevented ISPs from using and selling your sensitive personal data, such as precise geographic location, health and financial information, web browsing history, and even the content of the messages you send.

I’m not comfortable having that data stored anywhere. Handing it over to my ISP makes me even less comfortable, since these treasure troves of sensitive personal data are a frequent and profitable target for ill-intentioned hackers as well. …

How to write tests for your Django applications that boost your team and are actually useful

Testing a peanut butter and jelly sandwich
Testing a peanut butter and jelly sandwich
Cartoon by the author. It’s just soda in the test tube, but I’m not taking chances with that beaker.

If you regard writing tests as a lame checkbox task, nothing could be farther from the truth. Done correctly, tests are one of your application’s most valuable assets.

The Django framework, in particular, offers your team the opportunity to create an efficient testing practice based on the Python standard library unittest. Proper tests in Django are fast to write, faster to run, and can offer you a seamless continuous integration solution for taking the pulse of your developing application.

With comprehensive tests, developers have higher confidence when pushing changes. I’ve seen firsthand in my own teams that good tests can boost development velocity as a direct result of a better developer experience. …

Using Makefiles, pre-commit hooks, and GitHub Actions to help create a happy development team

Stick figure raising their arms in celebration.
Stick figure raising their arms in celebration.
Illustration by the author.

Do you want your team to enjoy your development workflow? Do you think building software should be fun and existentially fulfilling? If so, this is the article for you!

I’ve been developing with Django for years, and I’ve never been happier with my Django project setup than I am right now. Here’s how I’m making a day of developing with Django the most relaxing and enjoyable experience possible for myself and my engineering team.

A Custom CLI Tool for Your Django Project

Instead of typing:

python3 -m venv env
source env/bin/activate
pip install -r requirements.txt
python3 makemigrations
python3 migrate
python3 collectstatic
python3 runserver

Wouldn’t it be much nicer to type make start and have all that happen for you? I think so! We can do that with a self-documenting Makefile! Here’s one I frequently use when developing my Django applications, like…

Update Django models and manipulate existing data using migrations

Image for post
Image for post
Illustration by the author. It’ll make sense later.

Growing, successful applications are a lovely problem to have. As a product develops, it tends to accumulate complications the way your weekend cake project accumulates layers of frosting. Thankfully Django, my favorite batteries-included framework, handles complexity pretty well.

Django models help humans work with data in a way that makes sense to our brains, and the framework offers plenty of classes you can inherit to help you rapidly develop a robust application from scratch. As for developing on existing Django applications, there’s a feature for that, too. …

How TLS, digital certificates, and sessions help keep communications secure

Image for post
Image for post
Illustration by the author.

If you want to have a confidential conversation with someone you know, you might meet up in person and find a private place to talk. If you want to send data confidentially over the internet, you might have a few more considerations to cover.

TLS, or Transport Layer Security, refers to a protocol. “Protocol” is a word that more or less means “the way we’ve agreed to do things around here.” The “transport layer” part of TLS simply refers to host-to-host communication, such as how a client and a server interact, in the Internet protocol suite model.

The TLS protocol attempts to solve these fundamental…


Victoria Drake

Director of Engineering. Core maintainer, OWASP Web Security Testing Guide. Only a slice of my posts are here. Get the full pie 👉

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store