<p>Security design is an important, but often neglected, component of system design. In this session, Douglas Crockford, creator of Javascript Object Notation, will outline the security issues that must be considered in the architecture of Ajax applications.</p>
<p>The design of the browser did not anticipate the needs of multiparty applications. The browser’s security model frustrates useful activities and allows some very dangerous activities. This talk will look at the small set of options before us that will determine the future of the Web.<br />
During this session, attendees will:</p>
<ul>
<li>Learn why effective security is an inherent feature of good design;</li>
<li>Experience a real-time demo of a Ajax client/server system based on sound security principles</li>
<li>See how to apply secure design to rich web applications.</li>
</ul>
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
Web Application Security Reloaded for the HTML5 era - Designing and implementing secure Single Page Applications - Devoxx UK
Ten years after the first OWASP Top Ten list of Web Application Security risks has been published, the basics of protecting a typical JEE/Rails/PHP/.NET, webapp are becoming mainstream knowledge (although never enough, as the endless series of high profile vulerabilities demonstates).
But the industry-wide move towards HTML5 and Single Page Applications, motivated by the opportunity for more sophisticated interaction and UX, is again upsetting the balance between Hackers and Developers. A wave of new-generation front-end technologies such as Web Components, AngularJS and Ember is Developers are attracting Developers with their combination of productivity and innovative UX, but at the same time opens the door to new vulnerabilities and security challenges.
This talk will summarize the main principles of Secure Coding, and will discuss their application to HTML5 applications that interact with REST or WebSocket backends to prevent major risks (including OWASP Top Ten).
A concrete example will demonstrate the use of tools and libraries, from RBAC to JWT, from Spring Security to AngularJS modules for implementing secure HTML5/JS apps.
<p>Security design is an important, but often neglected, component of system design. In this session, Douglas Crockford, creator of Javascript Object Notation, will outline the security issues that must be considered in the architecture of Ajax applications.</p>
<p>The design of the browser did not anticipate the needs of multiparty applications. The browser’s security model frustrates useful activities and allows some very dangerous activities. This talk will look at the small set of options before us that will determine the future of the Web.<br />
During this session, attendees will:</p>
<ul>
<li>Learn why effective security is an inherent feature of good design;</li>
<li>Experience a real-time demo of a Ajax client/server system based on sound security principles</li>
<li>See how to apply secure design to rich web applications.</li>
</ul>
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
Web Application Security Reloaded for the HTML5 era - Designing and implementing secure Single Page Applications - Devoxx UK
Ten years after the first OWASP Top Ten list of Web Application Security risks has been published, the basics of protecting a typical JEE/Rails/PHP/.NET, webapp are becoming mainstream knowledge (although never enough, as the endless series of high profile vulerabilities demonstates).
But the industry-wide move towards HTML5 and Single Page Applications, motivated by the opportunity for more sophisticated interaction and UX, is again upsetting the balance between Hackers and Developers. A wave of new-generation front-end technologies such as Web Components, AngularJS and Ember is Developers are attracting Developers with their combination of productivity and innovative UX, but at the same time opens the door to new vulnerabilities and security challenges.
This talk will summarize the main principles of Secure Coding, and will discuss their application to HTML5 applications that interact with REST or WebSocket backends to prevent major risks (including OWASP Top Ten).
A concrete example will demonstrate the use of tools and libraries, from RBAC to JWT, from Spring Security to AngularJS modules for implementing secure HTML5/JS apps.
Adobe Hacked Again: What Does It Mean for You? Lumension
Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach.
But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers.
I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss:
*Alternatives to Adobe and Java
*Different ways to containing vulnerable apps in a sandbox
* Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks
Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning.
That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day.
This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.
A wild ride through the dizzying highs and terrifying lows of web security in 2015. Take a look at some major breaches of the year, including some free beer!
We’ll look at how attack trends have changed over the past year and new ways websites are being compromised. We’ve pulled together data from all the sites we protect to show you insights on types and patterns of attacks, and sophistication and origin of the attackers.
After the bad, we’ll look at the good - new technologies like RASP are helping secure the web.
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
An old presentation on community engagement practices, and communication in open source projects. Some of the references are a little outdated with current trends in open source (eg. github).
JavaScript language plays a very important role in Web 2.0 application development. JavaScript has its own characteristics different than object-oriented languages and it's not easy for developers to understand.
This presentation covers major advanced topics in JavaScript languages, including prototype chain, identifier resolving, "this" keyword, "new" operator, execution context and scope chain and closure. Besides that, it also covers best practices when using JavaScript.
JavaScript: Advanced Scoping & Other PuzzlesSencha
In this session, we'll review the fundamentals of Javascript variable scope and common "execution context" (scope) challenges associated with early/late binding of event handlers, specifically within complex Ext JS layouts. We'll also bring several patterns (namespaced references, Function closures, inline references, ref/refOwner, and the "Poor-man's message bus") to bear on the bowl of soup we call "scope."
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
Adobe Hacked Again: What Does It Mean for You? Lumension
Last time it was Adobe’s code signing servers. This time it’s 2.9 million (let’s just call it 3) customers’ data and lots and lots of source code – including that of Acrobat. Adobe products already require constant patching but offer no enterprise level solution for patching. In this presentation by Ultimate Windows Security, we’ll present why this will likely lead to more and we’ll look at what we know about this latest Adobe breach.
But more importantly I’ll show what you can do in advance to protect yourself against zero-day exploits in Adobe products and programs. After all this won’t be the last time a software vendor is hacked. In this day and age we have to protect ourselves from the failures of our software providers.
I’ll present 3 ways you can go on the offensive to protect yourself from the constant vulnerabilities discovered in Adobe Reader, Acrobat, Flash and Oracle Java. Here’s what we’ll discuss:
*Alternatives to Adobe and Java
*Different ways to containing vulnerable apps in a sandbox
* Using advanced memory protection technologies to detect and stop buffer overflows and other memory based attacks
Patching and AV only helps you close the window on hacker opportunity. To prevent the window from opening in the first place you have to prevent untrusted code from ever running in the first place. That requires application whitelisting and memory protection against code injection – a growing menace that bypasses controls based on file system and EXE scanning.
That’s why Lumension is sponsoring this event. I think you’ll be interested seeing 2 of their end-point security technologies that will help protect you from the new exploits on their way as a result of this hack as well as the constant stream of exploits discovered every day.
This is going to be a really cool presentation with practical tips that you can apply. Learn how to protect your systems from other software vendor vulnerabilities.
A wild ride through the dizzying highs and terrifying lows of web security in 2015. Take a look at some major breaches of the year, including some free beer!
We’ll look at how attack trends have changed over the past year and new ways websites are being compromised. We’ve pulled together data from all the sites we protect to show you insights on types and patterns of attacks, and sophistication and origin of the attackers.
After the bad, we’ll look at the good - new technologies like RASP are helping secure the web.
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
An old presentation on community engagement practices, and communication in open source projects. Some of the references are a little outdated with current trends in open source (eg. github).
JavaScript language plays a very important role in Web 2.0 application development. JavaScript has its own characteristics different than object-oriented languages and it's not easy for developers to understand.
This presentation covers major advanced topics in JavaScript languages, including prototype chain, identifier resolving, "this" keyword, "new" operator, execution context and scope chain and closure. Besides that, it also covers best practices when using JavaScript.
JavaScript: Advanced Scoping & Other PuzzlesSencha
In this session, we'll review the fundamentals of Javascript variable scope and common "execution context" (scope) challenges associated with early/late binding of event handlers, specifically within complex Ext JS layouts. We'll also bring several patterns (namespaced references, Function closures, inline references, ref/refOwner, and the "Poor-man's message bus") to bear on the bowl of soup we call "scope."
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
From JavaSpaces, JINI and GigaSpaces to SpringBoot, Akka – reactive and microservice pitfalls.
http://blog.mitemitreski.com/2014/11/java2days-2014-from-javaspaces-jini-and.html#.VHPK7x9jOCg
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Why You Should Use MERN Stack for Startup Apps?Pixel Crayons
If you have no idea what MERN stands for, check out my explanation in this article first! This insightful guide will help you learn about the benefits of using the MERN stack and why it’s perfect for your next web application project.
In a nutshell, The MERN Stack refers to four technologies: MongoDB, ExpressJS, ReactJS, and Node.js. MongoDB is a document-oriented DBMS that allows you to store data in JSON-like format.
With Microsoft prePress, you can access just-written content from upcoming
books. The chapters come straight from our respected authors, before they’re
fully polished and debugged—for critical insights now, when you need them.
This document contains one or more portions of a preliminary version of a Microsoft Press title and is provided
“as is.” The content may be changed substantially upon final publication. In addition, this document may make
reference to pre-released versions of software products that may be changed substantially prior to final
commercial release. Microsoft reserves the right to not publish this title or any versions thereof (including
future prePress ebooks). This document is provided for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EITHER EXPRESS OR IMPLIED, IN THIS DOCUMENT. Information and views expressed in this
document, including URL and other Internet website references may be subject to change without notice. You
bear the risk of using it.
Erik Costlow, Product Evangelist at Contrast Security, was Oracle's principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Presented at All Things Open RTP Meetup
Presented by Jarred Overson, CTO at Candle
Title: WebAssembly & Zero Trust for Code
Abstract: Zero Trust eliminated the notion that users, devices, or service could be inherently trusted within your company's network. Yet for some reason we default to trusting the dozens to even thousands of dependencies we import into our applications. These dependencies adopt the same privileges and access as the parent application and are prime targets for attackers. Malicious actors repeatedly seek and take over popular dependencies to gain a foothold into companies. This is not fear mongering, this is happening today. Millions of people – including our speaker – have unknowingly downloaded and run malicious code as part of their normal developer activities.
This is a difficult problem without obvious solutions. WebAssembly gives us a new way of thinking about it. In this talk, Jarrod Overson illustrates how WebAssembly changes the game and can make our applications more secure while improving performance, reusability, and maintainability both on and off the browser.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Several frameworks for desktop app development are available these days, such as Cocoa and Microsoft Visual Studio. However, there’s only one framework that you can use to create a multi-platform application. This framework is called Electron, and it’s what you’ll learn about here.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
8. The web was a
disappointment as an
application delivery system.
Page replacement too
inefficient.
Java applets failed.
No one believed in JavaScript.
9. The Web Is Dead.
The future is not document retrieval.
The future is distributed programming.
10. “Another software technology
will come along and kill off the
Web... And that judgment day
will arrive very soon
-- in the next two to three
years.”
George F. Colony
Chairman of the Board and
CEO
Forrester Research, Inc. [2000]
http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21
38. What can an attacker do if
he gets some script into
your page?
39. An attacker can request
additional scripts from any
server in the world.
Once it gets a foothold, it can
obtain all of the scripts it
needs.
40. An attacker can read the
document.
The attacker can see everything
the user sees.
41. An attacker can make
requests of your server.
Your server cannot detect that
the request did not originate
with your application.
42. If your server accepts SQL
queries, then the attacker gets
access to your database.
SQL was optimized for
SQL Injection Attacks
43. An attacker has control over
the display and can request
information from the user.
The user cannot detect that the
request did not originate with
your application.
44. An attacker can send
information to servers
anywhere in the world.
45. The browser does not
prevent any of these.
Web standards require these
weaknesses.
46. The consequences of a
successful attack are horrible.
Harm to customers.
Loss of trust.
Legal liabilities.
47. Cross site scripting attacks
were invented in 1995.
We made no progress on the
fundamental problems in 14
years.
48. Why is there XSS?
• The web stack is too complicated.
Too many languages, each with its own
encoding, quoting, commenting, and
escapement conventions.
Each can be nested inside of the others.
Browsers do heroic things to make sense of
malformed content.
• Template-based web frameworks are
optimized for XSS injection.
49. Why is there XSS?
• The JavaScript global object gives
every scrap of script the same set of
powerful capabilities.
• As bad as it is at security, the browser
is a vast improvement over everything
else.
• The browser does distinguish between
the interests of the user and the
interests of the site.
• The browser failed to anticipate that
there could be additional interests.
50. Fundamentally, XSS is a
confusion of interests.
It is dangerous and must be
corrected now.
51. Solving the XSS problem
should be our #1 priority.
We cannot tolerate web
standards that make things
worse.
56. ES5/Strict makes it possible
to have static verification of
third party code without
over-constraining the
programming model.
The best of both Caja and
ADsafe.
57. There is still more work to be
done
• ES5/Strict cannot protect the page
from XSS script injection.
• ES5/Strict can protect the page from
the widgets, but it cannot protect the
widgets from the page.
• ES5/Strict is an important step toward
a programming model in which
multiple interests can cooperate for the
user’s benefit without compromising
each other or the user.
62. How HTML5 makes things worse
1. It is complicated. Complexity is the
enemy of security.
2. It gives powerful new capabilities to
the attacker, include access to the
local database.
3. HTML5 will take a long time to
complete. Does a solution to the XSS
problem have to wait until HTML6?
63. Reset.
• Throw the current HTML5 proposal out
and start over.
• The new charter makes the timely
solution of the XSS problem the
highest priority.
• The old HTML5 set can be mined for
good ideas as long as that does not
undermine the prime directive.
64. The Next Browser Standard
• HTML4/ECMAScript 5 Compatibility
mode to support old applications.
• An opt-in safe mode that has a new
HTML language, ECMAScript 6, and a
new DOM.
• The new DOM should look like an Ajax
library.
65. Many popular approaches to
security fail.
• Security by inconvenience. (TSA)
• Security by obscurity.
• Security as identity.
• Security by vigilance.
67. Information Hiding
Need to know
David Parnas
On the Criteria to Be Used
in Decomposing Systems
into Modules. (1972)
68. Information Hiding
Need to know
A reference is a capability.
Capability Hiding
Need to do
69. There are exactly three ways
to obtain a reference in an
object capability security system.
1. By Creation.
2. By Construction.
3. By Introduction.
70. 1. By Creation
If a function creates an object,
it gets a reference to that
object.
71. 2. By Construction
An object may be endowed by its
constructor with references.
This can include references in the
constructor’s context and inherited
references.
72. 3. By Introduction
A has a references to B and C.
B has no references, so it cannot communicate with A or C
C has no references, so it cannot communicate with A or B
A
C B