Web 2.0 Security<br />Aleksandr Yampolskiy, Ph.D.<br />
What is Web 2.0?<br />Dictionary.com<br />Main Entry: web 2.0<br />Part of Speech: n<br />Definition: the second generation of the World Wide Web in which content is user-generated and dynamic, and software is offered that mimics desktop programs <br />Example: Web 2.0 encourages collaboration and communication between users.<br />Etymology: 2004 <br />
Gilt is a Web 2.0 site for luxury fashion at discounted prices<br />Gilt combines published content with user generated content. Users can shop, blog, upload comments about fashion products to Twitter, Facebook.<br />Users can share cool deals on Gilt City via Facebook, Twitter, Email.<br />Users can blog about Gilt products.<br />
Evolution of Threats in Web 2.0<br />Every insider is a threat. Even a CISO. To a trojan, you are just an IP address.<br />New propagation methods for malware (PDF, videos, social networks, pop-up ads, etc.)<br />Perimeter of the network is no longer clearly defined as employees use social media (Twitter, Facebook) and external cloud providers.<br />
What’s Different About Web 2.0 Security?<br /><ul><li>More code and complexity in Web 2.0 apps.
Secure and insecure content from different sites mashed on a page
We now need to review client-side and server-side code.
Dynamic, agile development approach results in code that’s not thoroughly tested
Complicated UI frameworks may contain their own subtle security bugs
New security attacks</li></li></ul><li>What’s Different About Web 2.0 Security?<br />Web 2.0 has completely new app security threats<br />Malicious AJAX code execution<br />WSDL scanning and enumeration<br />RSS injection<br />XML poisoning<br />CSRF attacks<br />
None of the “new” attacks appear on OWASP top 10 list of security bugs.
In fact, Verizon 2009 data breach report lists top data breach causes as</li></ul> - Weak or default passwords<br />- SQL injection attacks<br />- Improper access rights<br />- XSS attacks<br />
Our Approach<br />Security decisions are based on risk, not just threats and vulnerabilities (risk = threat*vulnerability*cost).<br />Don’t chase hot vulnerabilities of the day. Instead, mitigate top risks.<br />AAA and least privilege principle.<br />Heavily based on policy and user education.<br />“Onion security” – multiple protections at each layer.<br />Achieve “essential”, then worry about “excellent”.<br />Be a “how team” instead of a “no team”.<br />Build security into the software development lifecycle.<br />
Recommendations<br /><ul><li>Make sure all browsers (not just OS) are patched
Monitor Internet connections for suspicious activity.
Install anti-virus and anti-malware software on every computer.
Security policies must be up-to-date and address Web 2.0 threats.</li></li></ul><li>Recommendations (cont.)<br />Security metrics to gauge Web 2.0 threats can be a powerful ally.<br />
Recommendations (cont.)<br />Build security into the SDLC (software development lifecycle).<br />Secure coding + books for all developers.<br />Fortify static code scanner + dynamic scans using BurpSuite<br />- Jira security category approval workflow<br />
Recommendations (cont.)<br />Standardized configmanager for firewall rules.<br />Bandwidth analysis.<br />Standard laptop and server images (disk encryption, A/V, LanRev)<br />Evaluate 3rd parties’ security before sending them your data.<br />Monitor your good name (actually go to hacker forums, Google for it, watch the press, etc.)<br />