Beyond The Norm: Building Secure Websites

1,243 views
1,164 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,243
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Beyond The Norm: Building Secure Websites

  1. 1. Beyond The Norm: Building Secure Websites Adria Richards Twin Cities Web Design and Standards Group
  2. 2. We've got a website!
  3. 3. The golden years of html websites
  4. 5. Websites of Today
  5. 6. All your base are belong to us
  6. 7. Exploding Gastanks and Websites <ul><ul><li>Initial price </li></ul></ul><ul><ul><li>Reliability </li></ul></ul><ul><ul><li>Appearance </li></ul></ul><ul><ul><li>Features </li></ul></ul><ul><ul><li>Performance </li></ul></ul>
  7. 8. Cross Side Scripting <ul><li>Famous Sites Webmail including Gmail and Yahoo </li></ul><ul><li>Facebook </li></ul><ul><li>Wikipedia </li></ul><ul><li>Barack Obama & Hiliary Clinton </li></ul><ul><li>  </li></ul><ul><li>Programming technologies </li></ul><ul><li>Javascript, HTML, Java, ActiveX, VBScript, Flash, RSS </li></ul><ul><li>  </li></ul><ul><li>Prevention </li></ul><ul><li>users - Smart browsing </li></ul><ul><li>developers - URL parameters </li></ul><ul><li>developers - Form input </li></ul><ul><li>developers - Cookies </li></ul><ul><li>developers - Database calls </li></ul><ul><li>  </li></ul>
  8. 9. SQL Injections <ul><li>Famous Sites </li></ul><ul><li>  Domain Registrar in New Zealand </li></ul><ul><li>  Microsoft UK </li></ul><ul><li>  United Nations </li></ul><ul><li>   </li></ul><ul><li>Programming technologies </li></ul><ul><li>ASP, PHP, mySQL, SQL, Oracle </li></ul><ul><li>  </li></ul><ul><li>What's Vulnerable? </li></ul><ul><li>All websites that use a database </li></ul><ul><li>Forums, CMS', blogs, shopping carts, contact forms </li></ul><ul><li>  </li></ul><ul><li>Prevention </li></ul><ul><li>developers - validate your input </li></ul><ul><li>developers - monitor input into your forms </li></ul><ul><li>  </li></ul><ul><li>  </li></ul>
  9. 10. Predictable ID's <ul><li>Famous Sites </li></ul><ul><li>Victoria's Secret </li></ul><ul><li>Trend Micro </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Programming technologies </li></ul><ul><li>your code, session cookies, HTML, social engineering </li></ul><ul><li>  </li></ul><ul><li>Prevention </li></ul><ul><li>users - Smart browsing </li></ul><ul><li>developers - random user ID and sesson cookie generation </li></ul><ul><li>  </li></ul>
  10. 11. Keeping Your Clients Safe Online <ul><li>Discuss </li></ul>
  11. 12. Keeping Your Clients Safe Online <ul><li>Discuss </li></ul><ul><li>Recruit </li></ul>
  12. 13. Keeping Your Clients Safe Online <ul><li>Discuss </li></ul><ul><li>Recruit </li></ul><ul><li>Test </li></ul>
  13. 14. Keeping Your Clients Safe Online <ul><li>Discuss </li></ul><ul><li>Recruit </li></ul><ul><li>Test </li></ul><ul><li>Monitor </li></ul>
  14. 15. Keeping Your Clients Safe Online <ul><li>+ Discuss </li></ul><ul><li>+ Collaborate </li></ul><ul><li>+ Test </li></ul><ul><li>+ Monitor </li></ul><ul><li>----------------------- </li></ul><ul><li>= Happy Clients! </li></ul>
  15. 16. Beyond The Norm: Building Secure Websites Thanks!   Adria Richards Twitter @adriarichards  
  16. 17. Citations and Credit <ul><li>Title inspiration, &quot;Beyond The Norm&quot; from Robert X. Cringely's article at Infoworld </li></ul><ul><li>Photo Locks by Leonid Mamchenkov </li></ul><ul><li>Photos Classic Cars by by Rojer , Draco2008 , Martin Pettitt , charkesw , Smudge 9000 , dave_7 </li></ul><ul><li>Photo Ford Pinto by Brian Teutsch </li></ul><ul><li>Photo Rack Right by sylvar </li></ul><ul><li>Photo database 2 by  Tim Morgan </li></ul><ul><li>Photo Message error 404  CyboRoZ </li></ul><ul><li>Photo You buys your ticket by Hryck. </li></ul><ul><li>Photo Injection by Conor Lawless </li></ul><ul><li>Dog and kid photos susieq3c   timtimes   airwaves1   riaan_cornelius   estoril   gopal1035   hdport   Ssmallfry   Bill in Ash Vegas </li></ul><ul><li>Design Defects of the Ford Pinto Gas Tank , Engineering Disaster </li></ul><ul><li>Twitter in Kindergarten </li></ul><ul><li>Wikipedia Cross-site Scripting </li></ul><ul><li>Wikipedia SQL Injection </li></ul><ul><li>Understanding Malicious Content Mitigation for Web Developers </li></ul><ul><li>Insecure Websites by CRN </li></ul><ul><li>Identity theft in web applications </li></ul>
  17. 18. Type of attacks <ul><li>  </li></ul><ul><li>Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Credit Web Application Security Consortium </li></ul>

×