Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risico's Web 2.0


Published on

Een korte overview van de risico aspecten van de brave new web 2.0 world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Risico's Web 2.0

  1. 1. Risico’s Web 2.0 INTEGRATION as the problem to the answer… © hans pronk 2008 (aka
  2. 2. pre-WEB 2.0 security & integration 2
  3. 3. masters of integration or the ultimate mash-up
  4. 4. trends in the new 2.0 era social networks writable web AJAX deportalization end of the walled garden SaaS PaaS syndication browser as THE ui: everywhere available widgets mash-ups the rise of the platform user-centric identity user-centric
  5. 5. integration & security control complexity data spills new new new
  6. 6. the visionair? right or wrong? ..
  7. 7. the new applications landscape
  8. 8. complexity platforms: the new paradigm: Google | Amazon | Microsoft Live Core | Carolina | Salesforce | 37Signals | (insert favourite platform here) complexity hiding economics of scale specialization
  9. 9. control & faith sharing the ford firestone case dealing with service levels / disaster recovery dealing with popularity “The Remora Business Model” syndication / rss / “dapper” old school firewalls issues
  10. 10. complexity “software is hard” Donald E. Knuth
  11. 11. complexity API design architecture scaling inside versus outside SOAP versus REST “put it to REST”? transport versus message security
  12. 12. complexity (accidental)integration on the desktop XSS/XSRF exploit of trust (user|web- site) JSON (missing) tools IDS for app servers
  13. 13. example xss/xsrf http://www- %22%3Cbody%20onload=alert('OWNED')%3E%22 “<body onload=alert('OWNED‘)>” <img src = quot;http://bank.example/withdraw?account =bob&amp;amount=1000000&amp;for= malloryquot;>
  14. 14. data spills identity management / privacy Identity 2.0 aka “user centric identity management” (dick hard) casual versus strict privacy the case for OAuth! open social? data hygiene example: RSS-feeds
  15. 15. sharing with the world (private) intel profiling (ip-address?) [Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr] addresses contacts pictures whereabouts…
  16. 16. new… newer… newest AJAX Ruby (on Rails) / RJS / python / … lighttpd / mongrell libraries, more libraries, and even more libraries
  17. 17. web treaths Web 2.0 is a success, as the activities of the real world move online; the criminals follow the money, and the money is now online credit card companies are still eating the losses; but some areas are making customers more liable for losses
  18. 18. web treaths from highly visible media events to financially motivated threats the true financial attacks don't want to lose connectivity, so infrastructure DDoS attacks are counterindicated not just windows, now hitting Linux and Mac as well, aiming to compromise Linux servers
  19. 19. web treaths large rise in misconfigured, rogue DNS resolvers; estimated 300,000 compromised DNS servers Google finding 180,000 web servers serving malicious code in their crawls
  20. 20. wrapping-up… “old” security mechanisms not enough / counterproductive reduce complexity / decoupling old principles are still true be aware and… be what you are
  21. 21. 2008, ©,