Web 2.0 Security<br />Aleksandr Yampolskiy, Ph.D.<br />
What is Web 2.0?<br />Dictionary.com<br />Main Entry: web 2.0<br />Part of Speech:  n<br />Definition:   	the second gener...
Web 2.0 Sites<br />
Cuene.com/mima<br />  Web 2.0 Evolution<br />
 Gilt is a Web 2.0 site for luxury fashion at discounted prices<br />Gilt combines published content with user generated c...
Evolution of Threats in Web 2.0<br />Every insider is a threat. Even a CISO. To a trojan, you are just an IP address.<br /...
What’s Different About                         Web 2.0 Security?<br /><ul><li>More code and complexity in Web 2.0 apps.
 More data in more places
Secure and insecure content from different sites mashed on a page
 We now need to review client-side and server-side code.
Dynamic, agile development approach results in code that’s not thoroughly tested
Complicated UI frameworks may contain their own subtle security bugs
New security attacks</li></li></ul><li>What’s Different About Web 2.0 Security?<br />Web 2.0 has completely new app securi...
Relax, it’s not that bad!<br />
Web 2.0 Security Reality<br /><ul><li>Fundamentals are still the same, for Web 1.0 and Web 2.0.
 Multilayered “onion security”.
Upcoming SlideShare
Loading in …5
×

Web 2.0 security

1,002 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,002
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web 2.0 security

  1. 1. Web 2.0 Security<br />Aleksandr Yampolskiy, Ph.D.<br />
  2. 2. What is Web 2.0?<br />Dictionary.com<br />Main Entry: web 2.0<br />Part of Speech:  n<br />Definition:    the second generation of the World Wide Web in which content is user-generated and dynamic, and software is offered that mimics desktop programs <br />Example:  Web 2.0 encourages collaboration and communication between users.<br />Etymology:  2004 <br />
  3. 3. Web 2.0 Sites<br />
  4. 4. Cuene.com/mima<br /> Web 2.0 Evolution<br />
  5. 5. Gilt is a Web 2.0 site for luxury fashion at discounted prices<br />Gilt combines published content with user generated content. Users can shop, blog, upload comments about fashion products to Twitter, Facebook.<br />Users can share cool deals on Gilt City via Facebook, Twitter, Email.<br />Users can blog about Gilt products.<br />
  6. 6. Evolution of Threats in Web 2.0<br />Every insider is a threat. Even a CISO. To a trojan, you are just an IP address.<br />New propagation methods for malware (PDF, videos, social networks, pop-up ads, etc.)<br />Perimeter of the network is no longer clearly defined as employees use social media (Twitter, Facebook) and external cloud providers.<br />
  7. 7. What’s Different About Web 2.0 Security?<br /><ul><li>More code and complexity in Web 2.0 apps.
  8. 8. More data in more places
  9. 9. Secure and insecure content from different sites mashed on a page
  10. 10. We now need to review client-side and server-side code.
  11. 11. Dynamic, agile development approach results in code that’s not thoroughly tested
  12. 12. Complicated UI frameworks may contain their own subtle security bugs
  13. 13. New security attacks</li></li></ul><li>What’s Different About Web 2.0 Security?<br />Web 2.0 has completely new app security threats<br />Malicious AJAX code execution<br />WSDL scanning and enumeration<br />RSS injection<br />XML poisoning<br />CSRF attacks<br />
  14. 14. Relax, it’s not that bad!<br />
  15. 15. Web 2.0 Security Reality<br /><ul><li>Fundamentals are still the same, for Web 1.0 and Web 2.0.
  16. 16. Multilayered “onion security”.
  17. 17. None of the “new” attacks appear on OWASP top 10 list of security bugs.
  18. 18. In fact, Verizon 2009 data breach report lists top data breach causes as</li></ul> - Weak or default passwords<br />- SQL injection attacks<br />- Improper access rights<br />- XSS attacks<br />
  19. 19. Our Approach<br />Security decisions are based on risk, not just threats and vulnerabilities (risk = threat*vulnerability*cost).<br />Don’t chase hot vulnerabilities of the day. Instead, mitigate top risks.<br />AAA and least privilege principle.<br />Heavily based on policy and user education.<br />“Onion security” – multiple protections at each layer.<br />Achieve “essential”, then worry about “excellent”.<br />Be a “how team” instead of a “no team”.<br />Build security into the software development lifecycle.<br />
  20. 20. Recommendations<br /><ul><li>Make sure all browsers (not just OS) are patched
  21. 21. Monitor Internet connections for suspicious activity.
  22. 22. Install anti-virus and anti-malware software on every computer.
  23. 23. Security policies must be up-to-date and address Web 2.0 threats.</li></li></ul><li>Recommendations (cont.)<br />Security metrics to gauge Web 2.0 threats can be a powerful ally.<br />
  24. 24. Recommendations (cont.)<br />Build security into the SDLC (software development lifecycle).<br />Secure coding + books for all developers.<br />Fortify static code scanner + dynamic scans using BurpSuite<br />- Jira security category approval workflow<br />
  25. 25. Recommendations (cont.)<br />Standardized configmanager for firewall rules.<br />Bandwidth analysis.<br />Standard laptop and server images (disk encryption, A/V, LanRev)<br />Evaluate 3rd parties’ security before sending them your data.<br />Monitor your good name (actually go to hacker forums, Google for it, watch the press, etc.)<br />
  26. 26. 16<br />

×