<!
doctype html>
SECURITY
OWASP Helsinki 15.6.2011
beyond the attack vectors
Ville Svuori
�I AM NOT A SECURITY EXPERT
(But a Web Developer :)
�<!doctype html>
�html
API Metering Backups & Snapshots Counters Cloud/Cluster Management Tools
Distributed Log storage, analysis Graphing HTTP Caching Input/Output Filtering Memory Caching Non-relational Key Stores Rate Limiting Relational Storage Queues Rate Limiting Real-time messaging (XMPP) Search
Instrumentation/Monitoring Failover Node addition/removal and hashing Auto-scaling for cloud resources
CSRF/XSS Protection Data Retention/Archival Deployment Tools
Multiple Devs, Staging, Prod Data model upgrades Rolling deployments Multiple versions (selective beta) Bucket Testing Rollbacks CDN Management
Ranging Geo
Sharding Smart Caching
Dirty-table management
Distributed File Storage
http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites
���complex
http://www.flickr.com/photos/stuckincustoms/5069047950/
��what is it?
�Markup like Guido intended it.
�Markup like Guido Tim intended it.
�Not Just Markup anymore.
�security
�<header> <audio> <video> <canvas> <footer>
�<audio>
�<audio src='foo.mp4' preload='auto'>
�<input type='email' required pattern='.*@syneus\.fi'>
�HTTP/1.1 200 OK Date: Wed, 15 Jun 2011 17:45:00 GMT Server: Nginx/1.0.4 Access-Control-Allow-Origin: http://syneus.fi
�local storage
localStorage.setItem('name', 'Hello World!');
�Web Forms 2.0
�SVG
�CSS3
div > p:last-of-type { ... }
�GeoLocation
navigator.geolocation.getCurrentPosition(show_map);
�<iframe sandbox="allow-scripts">
�in the wild
http://www.flickr.com/photos/sharkbait/2992242065/
�common issues
http://www.flickr.com/photos/rainbirder/5068808204/
�XSS
http://www.flickr.com/photos/rainbirder/5068808204/
�XSRF
http://www.flickr.com/photos/rainbirder/5068808204/
�SQL Injection
http://www.flickr.com/photos/rainbirder/5068808204/
�Clickjacking
http://www.flickr.com/photos/rainbirder/5068808204/
�ways to protect
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�understand threats
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�understand threats no, really.
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�sanitation
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�test your code
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�test your code regularly.
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�test your code often.
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�stay updated
http://www.flickr.com/photos/soldiersmediacenter/5285447846/
�The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words insert, delete, drop, update, null, or select.
Sacramento Credit Union
http://www.flickr.com/photos/remydwd/48898192/
�Best practices
http://www.flickr.com/photos/amagill/51806161/
�trust no one
http://www.flickr.com/photos/furryscalyman/673915993/
�use good tools
Let frameworks help you.
�but dont trust them blindly
Again. Understand what youre doing.
�use secure protocols
HTTPS over HTTP
�outsource
or
hire someone
but at least
use a checklist
�understand your users
Mere mortals dont behave like nerds.
�educate them
Why is it important to have a good password?
�MORE
html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5
�Kiitos!
Ville Svuori @uninen
�MORE
html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5
