Post on 05-Dec-2014
description
transcript
Beyond The Norm: Building Secure Websites
Adria RichardsTwin Cities Web Design and Standards Group
We've got a website!
The golden years of html websites
Websites of Today
All your base are belong to us
Exploding Gastanks and Websites
• Initial price • Reliability• Appearance • Features • Performance
Cross Side Scripting
Famous SitesWebmail including Gmail and YahooFacebookWikipediaBarack Obama & Hiliary Clinton Programming technologiesJavascript, HTML, Java, ActiveX, VBScript, Flash, RSS Preventionusers - Smart browsingdevelopers - URL parametersdevelopers - Form inputdevelopers - Cookies developers - Database calls
SQL Injections
Famous Sites Domain Registrar in New Zealand Microsoft UK United Nations Programming technologiesASP, PHP, mySQL, SQL, Oracle What's Vulnerable?All websites that use a databaseForums, CMS', blogs, shopping carts, contact forms Preventiondevelopers - validate your inputdevelopers - monitor input into your forms
Predictable ID's
Famous SitesVictoria's SecretTrend Micro Programming technologiesyour code, session cookies, HTML, social engineering Preventionusers - Smart browsingdevelopers - random user ID and sesson cookie generation
Keeping Your Clients Safe Online
Discuss
Keeping Your Clients Safe Online
DiscussRecruit
Keeping Your Clients Safe Online
DiscussRecruitTest
Keeping Your Clients Safe Online
DiscussRecruitTestMonitor
Keeping Your Clients Safe Online
+ Discuss+ Collaborate+ Test+ Monitor-----------------------= Happy Clients!
Beyond The Norm: Building Secure Websites
Thanks! Adria RichardsTwitter @adriarichards
Citations and Credit
Title inspiration, "Beyond The Norm" from Robert X. Cringely's article at InfoworldPhoto Locks by Leonid MamchenkovPhotos Classic Cars by by Rojer, Draco2008, Martin Pettitt, charkesw , Smudge 9000, dave_7Photo Ford Pinto by Brian Teutsch Photo Rack Right by sylvarPhoto database 2 by Tim MorganPhoto Message error 404 CyboRoZPhoto You buys your ticket by Hryck.Photo Injection by Conor LawlessDog and kid photos susieq3c timtimes airwaves1 riaan_cornelius estoril gopal1035 hdport Ssmallfry Bill in Ash VegasDesign Defects of the Ford Pinto Gas Tank, Engineering DisasterTwitter in KindergartenWikipedia Cross-site ScriptingWikipedia SQL Injection Understanding Malicious Content Mitigation for Web DevelopersInsecure Websites by CRNIdentity theft in web applications
Type of attacks
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm Credit Web Application Security Consortium