<!doctype html>              SECURITY                 beyond the attack vectors          Ville Säävuori ·    · OWASP Helsi...
I AM NOT ASECURITY EXPERT(But a Web Developer :)
<!doctype html>
html
•   API Metering                                         •   Distributed Log storage, analysis•   Backups & Snapshots     ...
complexhttp://www.flickr.com/photos/stuckincustoms/5069047950/
what isit?
Markup like    Guidointended it.
Markup like  Guido Timintended it.
Not Just Markupanymore.
security
<header>      <audio>   <video>         <canvas> <footer>
<audio>
<audio src=foo.mp4preload=auto>
<input type=email required  pattern=.*@syneus.fi>
HTTP/1.1 200 OKDate: Wed, 15 Jun 2011 17:45:00 GMTServer: Nginx/1.0.4Access-Control-Allow-Origin: http://syneus.fi
local storagelocalStorage.setItem(name, Hello World!);
Web Forms 2.0
SVG
CSS3div > p:last-of-type { ... }
GeoLocationnavigator.geolocation.getCurrentPosition(show_map);
<iframe sandbox="allow-scripts">
in the wild   http://www.flickr.com/photos/sharkbait/2992242065/
common issues        http://www.flickr.com/photos/rainbirder/5068808204/
XSShttp://www.flickr.com/photos/rainbirder/5068808204/
XSRFhttp://www.flickr.com/photos/rainbirder/5068808204/
SQL Injection     http://www.flickr.com/photos/rainbirder/5068808204/
Clickjacking    http://www.flickr.com/photos/rainbirder/5068808204/
ways to protect        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
understand threats        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
understand threats    no, really.        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
sanitation        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
test your code        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
test your coderegularly.        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
test your codeoften.         http://www.flickr.com/photos/soldiersmediacenter/5285447846/
stay updated        http://www.flickr.com/photos/soldiersmediacenter/5285447846/
The answers to your Security Questions are case sensitive and cannot containspecial characters like an apostrophe,    or t...
?http://www.flickr.com/photos/remydwd/48898192/
Bestpractices            http://www.flickr.com/photos/amagill/51806161/
trust     no onehttp://www.flickr.com/photos/furryscalyman/673915993/
use good tools  Let frameworks help you.
but don’t trust them blindly Again. Understand what you’re doing.
use secureprotocols  HTTPS over HTTP
outsource         or hire someone     but at leastuse a checklist
understand  your usersMere mortals don’t behave like nerds.
educate them  Why is it important to  have a good password?
MORE              html5sec.org       lyh.fi/web_security www.syneus.fi/aiheet/html5
Kiitos!Ville Säävuori   @uninen
MORE              html5sec.org       lyh.fi/web_security www.syneus.fi/aiheet/html5
HTML5 Security
HTML5 Security
HTML5 Security
Upcoming SlideShare
Loading in …5
×

HTML5 Security

1,183 views

Published on

HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

HTML5 Security

  1. 1. <!doctype html> SECURITY beyond the attack vectors Ville Säävuori · · OWASP Helsinki · 15.6.2011
  2. 2. I AM NOT ASECURITY EXPERT(But a Web Developer :)
  3. 3. <!doctype html>
  4. 4. html
  5. 5. • API Metering • Distributed Log storage, analysis• Backups & Snapshots • Graphing• Counters • HTTP Caching• Cloud/Cluster Management Tools • Input/Output Filtering • Instrumentation/Monitoring • Memory Caching • Failover • Non-relational Key Stores • Node addition/removal and hashing • Rate Limiting • Auto-scaling for cloud resources • Relational Storage• CSRF/XSS Protection • Queues• Data Retention/Archival • Rate Limiting• Deployment Tools • Real-time messaging (XMPP) • Multiple Devs, Staging, Prod • Search • Data model upgrades • Ranging • Rolling deployments • Geo • Multiple versions (selective beta) • Sharding • Bucket Testing • Smart Caching • Rollbacks • Dirty-table management • CDN Management• Distributed File Storage http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites
  6. 6. complexhttp://www.flickr.com/photos/stuckincustoms/5069047950/
  7. 7. what isit?
  8. 8. Markup like Guidointended it.
  9. 9. Markup like Guido Timintended it.
  10. 10. Not Just Markupanymore.
  11. 11. security
  12. 12. <header> <audio> <video> <canvas> <footer>
  13. 13. <audio>
  14. 14. <audio src=foo.mp4preload=auto>
  15. 15. <input type=email required pattern=.*@syneus.fi>
  16. 16. HTTP/1.1 200 OKDate: Wed, 15 Jun 2011 17:45:00 GMTServer: Nginx/1.0.4Access-Control-Allow-Origin: http://syneus.fi
  17. 17. local storagelocalStorage.setItem(name, Hello World!);
  18. 18. Web Forms 2.0
  19. 19. SVG
  20. 20. CSS3div > p:last-of-type { ... }
  21. 21. GeoLocationnavigator.geolocation.getCurrentPosition(show_map);
  22. 22. <iframe sandbox="allow-scripts">
  23. 23. in the wild http://www.flickr.com/photos/sharkbait/2992242065/
  24. 24. common issues http://www.flickr.com/photos/rainbirder/5068808204/
  25. 25. XSShttp://www.flickr.com/photos/rainbirder/5068808204/
  26. 26. XSRFhttp://www.flickr.com/photos/rainbirder/5068808204/
  27. 27. SQL Injection http://www.flickr.com/photos/rainbirder/5068808204/
  28. 28. Clickjacking http://www.flickr.com/photos/rainbirder/5068808204/
  29. 29. ways to protect http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  30. 30. understand threats http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  31. 31. understand threats no, really. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  32. 32. sanitation http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  33. 33. test your code http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  34. 34. test your coderegularly. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  35. 35. test your codeoften. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  36. 36. stay updated http://www.flickr.com/photos/soldiersmediacenter/5285447846/
  37. 37. The answers to your Security Questions are case sensitive and cannot containspecial characters like an apostrophe, or the words “insert,” “delete,”“drop,” “update,” “null,” or “select.” — Sacramento Credit Union
  38. 38. ?http://www.flickr.com/photos/remydwd/48898192/
  39. 39. Bestpractices http://www.flickr.com/photos/amagill/51806161/
  40. 40. trust no onehttp://www.flickr.com/photos/furryscalyman/673915993/
  41. 41. use good tools Let frameworks help you.
  42. 42. but don’t trust them blindly Again. Understand what you’re doing.
  43. 43. use secureprotocols HTTPS over HTTP
  44. 44. outsource or hire someone but at leastuse a checklist
  45. 45. understand your usersMere mortals don’t behave like nerds.
  46. 46. educate them Why is it important to have a good password?
  47. 47. MORE html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5
  48. 48. Kiitos!Ville Säävuori @uninen
  49. 49. MORE html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5

×