Post on 04-Jun-2015
transcript
http://www.flickr.com/photos/8407953@N03/5990642198/
THE ENEMY ON THE WEB
The web is extremely popular. (Web1.0, Web 2.0, Web 3.0)
It was not suppose to be. It was destined to be. (Web 1.0 -> Web 2.0 -> Web 3.0?)
numerous tech cobbled to make an incredible app delivery platform
(HTML5+CSS3+ES5+DOM+Node/PHP/Java+MongoDB/MySQL)
Today Web is extremely dominant.
And anything dominant gets scrutinized, misused, worse attacked.
So, WHO ARE THEY?
Usually 3 kinds!
SO WHAT THEY WANT?
Deface. Steal Credentials. Malware
For Root Cause #1. Let’s go back a few decades.
The telecom of 60’s – 80’s used in-band signaling.
i.e. sending control info and data on same channel.
Then came the free long distance calls.
In-band signaling in web a.k.a XSS
In-band signaling in web a.k.a SQL Injection
Root Cause #2 Insecure mashups: Ads, 3rd Parties, Customers
Iframe malicious redirect attacks
Drive-by-download/malware attacks
But we have Firewalls, IDS, XYZ, ABC, 123.And we also undergo pen test, code review, etc.
Q: Did it solve your problem?
Why chase the symptom?
Lets fix the problem
The Golden Rule. Defensive Coding. Everything has bad parts. Did you subset
the language you use?
Adopt/Build app frameworks that can bear the attack.
One’s that auto-defend. Auto Sanitize.Like MVC templates with auto-encoding.
Like NoSQL DBs, free of SQL Injection.
WARNING: Watch production readiness at http://www.browserscope.org/?category=security&v=top
Learn and Implement New Techniques.
(CSP, ES5, HTML5 Sandbox, PostMessage)
twitter: b1shanEmail: c70n3r@gmail.com
blog: http://bishankochher.blogspot.com/