The document discusses trends in web integration and security with the rise of Web 2.0 technologies. It notes the increasing complexity from platforms and decoupling of applications. Old approaches to security are not enough for the new technologies and approaches are needed to reduce complexity while maintaining principles of awareness. The future will see newer technologies like AJAX and libraries as well as ongoing web threats from attacks.

1. Risico’s Web
2.0
INTEGRATION as the problem
to the answer…
© hans pronk 2008 (aka h@nzz.nl)

2. pre-WEB 2.0 security &
integration
2

3. masters of integration or
the ultimate mash-up

6. trends in the new 2.0 era
social networks
writable web
AJAX deportalization
end of the walled garden SaaS
PaaS syndication
browser as THE ui: everywhere available
widgets
mash-ups the rise of the platform
user-centric identity user-centric

7. integration & security
control
complexity
data spills
new new new

8. the visionair?
right or wrong?
..

10. the new
applications
landscape

11. complexity
platforms: the new paradigm:
Google | Amazon | Microsoft Live Core | Carolina |
Salesforce | 37Signals | (insert favourite platform
here)
complexity hiding
economics of scale
specialization

19. control & faith sharing
the ford firestone case
dealing with service levels / disaster
recovery
dealing with popularity
“The Remora Business Model”
syndication / rss / “dapper”
old school firewalls issues

20. complexity
“software is hard”
Donald E. Knuth

21. complexity
API design
architecture
scaling
inside versus outside
SOAP versus REST
“put it to REST”?
transport versus message security

22. complexity
(accidental)integration on the desktop
XSS/XSRF exploit of trust (user|web-
site)
JSON
(missing) tools
IDS for app servers

23. example xss/xsrf
http://www-
1.ibm.com/support/docview.wss?uid=swg21233077&loc=
%22%3Cbody%20onload=alert('OWNED')%3E%22
“<body onload=alert('OWNED‘)>”
<img src =
quot;http://bank.example/withdraw?account
=bob&amp;amount=1000000&amp;for=
malloryquot;>

24. data spills
identity management / privacy
Identity 2.0 aka “user centric identity
management” (dick hard)
casual versus strict privacy
the case for OAuth!
open social?
data hygiene
example: RSS-feeds

27. sharing with the world
(private) intel
profiling (ip-address?)
[Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr]
addresses
contacts
pictures
whereabouts…

32. new… newer… newest
AJAX
Ruby (on Rails) / RJS / python / …
lighttpd / mongrell
libraries, more libraries, and even
more libraries

33. web treaths
Web 2.0 is a success, as the activities
of the real world move online; the
criminals follow the money, and the
money is now online
credit card companies are still eating
the losses; but some areas are
making customers more liable for
losses

34. web treaths
from highly visible media events to
financially motivated threats
the true financial attacks don't want to
lose connectivity, so infrastructure
DDoS attacks are counterindicated
not just windows, now hitting Linux
and Mac as well, aiming to
compromise Linux servers

35. web treaths
large rise in misconfigured, rogue DNS
resolvers; estimated 300,000
compromised DNS servers
Google finding 180,000 web servers
serving malicious code in their crawls

36. wrapping-up…
“old” security mechanisms not
enough / counterproductive
reduce complexity /
decoupling
old principles are still true
be aware and…
be what you are

37. h@nzz.nl
www.twitter.com/hnzz
hnzz.jaiku.com
www.hnzz.nl
2008, © h@nzz.nl,