Risico's Web 2.0


Published on

Een korte overview van de risico aspecten van de brave new web 2.0 world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risico's Web 2.0

  1. 1. Risico’s Web 2.0 INTEGRATION as the problem to the answer… © hans pronk 2008 (aka h@nzz.nl)
  2. 2. pre-WEB 2.0 security & integration 2
  3. 3. masters of integration or the ultimate mash-up
  4. 4. trends in the new 2.0 era social networks writable web AJAX deportalization end of the walled garden SaaS PaaS syndication browser as THE ui: everywhere available widgets mash-ups the rise of the platform user-centric identity user-centric
  5. 5. integration & security control complexity data spills new new new
  6. 6. the visionair? right or wrong? ..
  7. 7. the new applications landscape
  8. 8. complexity platforms: the new paradigm: Google | Amazon | Microsoft Live Core | Carolina | Salesforce | 37Signals | (insert favourite platform here) complexity hiding economics of scale specialization
  9. 9. control & faith sharing the ford firestone case dealing with service levels / disaster recovery dealing with popularity “The Remora Business Model” syndication / rss / “dapper” old school firewalls issues
  10. 10. complexity “software is hard” Donald E. Knuth
  11. 11. complexity API design architecture scaling inside versus outside SOAP versus REST “put it to REST”? transport versus message security
  12. 12. complexity (accidental)integration on the desktop XSS/XSRF exploit of trust (user|web- site) JSON (missing) tools IDS for app servers
  13. 13. example xss/xsrf http://www- 1.ibm.com/support/docview.wss?uid=swg21233077&loc= %22%3Cbody%20onload=alert('OWNED')%3E%22 “<body onload=alert('OWNED‘)>” <img src = quot;http://bank.example/withdraw?account =bob&amp;amount=1000000&amp;for= malloryquot;>
  14. 14. data spills identity management / privacy Identity 2.0 aka “user centric identity management” (dick hard) casual versus strict privacy the case for OAuth! open social? data hygiene example: RSS-feeds
  15. 15. sharing with the world (private) intel profiling (ip-address?) [Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr] addresses contacts pictures whereabouts…
  16. 16. new… newer… newest AJAX Ruby (on Rails) / RJS / python / … lighttpd / mongrell libraries, more libraries, and even more libraries
  17. 17. web treaths Web 2.0 is a success, as the activities of the real world move online; the criminals follow the money, and the money is now online credit card companies are still eating the losses; but some areas are making customers more liable for losses
  18. 18. web treaths from highly visible media events to financially motivated threats the true financial attacks don't want to lose connectivity, so infrastructure DDoS attacks are counterindicated not just windows, now hitting Linux and Mac as well, aiming to compromise Linux servers
  19. 19. web treaths large rise in misconfigured, rogue DNS resolvers; estimated 300,000 compromised DNS servers Google finding 180,000 web servers serving malicious code in their crawls
  20. 20. wrapping-up… “old” security mechanisms not enough / counterproductive reduce complexity / decoupling old principles are still true be aware and… be what you are
  21. 21. h@nzz.nl www.twitter.com/hnzz hnzz.jaiku.com www.hnzz.nl 2008, © h@nzz.nl,