SECURITY<!doctype html>

Ville Säävuori · · OWASP Helsinki · 15.6.2011

beyond the attack vectors

I AM NOT A SECURITY EXPERT(But a Web Developer :)

<!doctype html>

html

• API Metering

• Backups & Snapshots

• Counters

• Cloud/Cluster Management Tools

• Instrumentation/Monitoring

• Failover

• Node addition/removal and hashing

• Auto-scaling for cloud resources

• CSRF/XSS Protection

• Data Retention/Archival

• Deployment Tools

• Multiple Devs, Staging, Prod

• Data model upgrades

• Rolling deployments

• Multiple versions (selective beta)

• Bucket Testing

• Rollbacks

• CDN Management

• Distributed File Storage

• Distributed Log storage, analysis

• Graphing

• HTTP Caching

• Input/Output Filtering

• Memory Caching

• Non-relational Key Stores

• Rate Limiting

• Relational Storage

• Queues

• Rate Limiting

• Real-time messaging (XMPP)

• Search

• Ranging

• Geo

• Sharding

• Smart Caching

• Dirty-table management

http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites

complex

http://www.flickr.com/photos/stuckincustoms/5069047950/

what is it?

Markup likeGuido

intended it.

Markup likeGuido Tim

intended it.

Not Just Markup

anymore.

security

<audio> <video>

<footer>

<header>

<canvas>

<audio>

<audio src='foo.mp4'

preload='auto'>

<input type='email' required pattern='.*@syneus\.fi'>

HTTP/1.1 200 OKDate: Wed, 15 Jun 2011 17:45:00 GMTServer: Nginx/1.0.4Access-Control-Allow-Origin: http://syneus.fi

local storagelocalStorage.setItem('name', 'Hello World!');

Web Forms 2.0

SVG

CSS3div > p:last-of-type { ... }

GeoLocationnavigator.geolocation.getCurrentPosition(show_map);

<iframe sandbox="allow-scripts">

in the wild

http://www.flickr.com/photos/sharkbait/2992242065/

http://www.flickr.com/photos/rainbirder/5068808204/

common issues

XSShttp://www.flickr.com/photos/rainbirder/5068808204/

XSRFhttp://www.flickr.com/photos/rainbirder/5068808204/

SQL Injectionhttp://www.flickr.com/photos/rainbirder/5068808204/

Clickjackinghttp://www.flickr.com/photos/rainbirder/5068808204/

ways to protect

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

understand threats

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

understand threats

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

no, really.

sanitation

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

test your code

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

test your code

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

regularly.

test your code

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

often.

stay updated

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe,

or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”

— Sacramento Credit Union

?

http://www.flickr.com/photos/remydwd/48898192/

http://www.flickr.com/photos/amagill/51806161/

Best practices

trust no one

http://www.flickr.com/photos/furryscalyman/673915993/

use good toolsLet frameworks help you.

but don’t trust them blindlyAgain. Understand what you’re doing.

use secure protocols

HTTPS over HTTP

outsource

hire someone

use a checklist

or

but at least

understand your users

Mere mortals don’t behave like nerds.

educate themWhy is it important to have a good password?

www.syneus.fi/aiheet/html5

html5sec.org

lyh.fi/web_security

MORE

Kiitos!Ville Säävuori

@uninen

www.syneus.fi/aiheet/html5

html5sec.org

lyh.fi/web_security

MORE