SlideShare une entreprise Scribd logo

Layer 7: Securing Web 2.0 - What You Need to Know

CA API Management
CA API Management

Web 2.0 has provided users with enhanced capabilities, but with it comes new security risks.

Technologie
1  sur  26
Télécharger pour lire hors ligne
Securing Web 2.0 What You Need to Know K. Scott Morrison VP Engineering and Chief Architect January 2007
Bio – K. Scott Morrison VP Engineering & Chief Architect at Layer 7 Technologies • http://www.layer7tech.com • Layer 7 is based in Vancouver BC, Canada Co-author of Sams’ Java Web Services Unleashed and Wrox’s Professional JMS • Over 50 other publications in academic journals and trade magazines Co-Editor WS-I Basic Security Profile Co-Author WS-Federation Frequent speaker on Web services, XML, mobile/wireless computing systems, distributed systems architecture, and Java design issues January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 2
Agenda Web 2.0 AJAX What’s new about this? The collision between AJAX & SOA What are the new threat vectors Mitigation strategies Infrastructure solutions January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 3
Web 2.0 Web 2.0 isn’t a technology It’s actually an approach to building for the Web Web 2.0 is: MySpace Aggregation of content Flickr Collaboration Google Maps Google Gmail Synergizing the efforts of individuals Google Suggest del.icio.us Rich interaction models …etc Remember: “You” is not a technology Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 4
AJAX AJAX is an approach underpinning Web 2.0 Provides rich browser interaction models This contributes to goal of fostering individual contributions Can also be used to aggregate content AJAX is really a slick new name for existing technology: 1. (X)HTML and CSS for presentation markup 2. DOM and JavaScript for dynamic content 3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack for asynchronous content retrieval 4. XML, JSON, JavaScript Objects, or just text for data communication So what is different here? January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 5
Web 1.0 Firewall Web Application Server Network Directory Server User clicks link, User clicks link, presses button, presses button, is referred, etc is referred, etc Corporate Network Internet Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 6
Web 1.0 (cont.) Firewall Web Application Server Network Directory Server AuthN, AuthN, AuthR AuthR HTTP headers+ Query params or POST contents HTTP GET or HTTP GET or Corporate POST POST Network Internet HTTP Request Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 7
Web 1.0 (cont.) Firewall Web Application Server Network Directory Server New page New page rendered rendered Corporate Network HTTP Internet Response HTML, images, JavaScript, etc User experiences long Web Browser latency delays that affects usability January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 8
Web 2.0 – AJAX Paradigm Firewall Web Application Server Network Directory Server … Request as before … Request as before Page load HTML Page load HTML with embedded with embedded JavaScript Engine Corporate JavaScript Engine Separation between Network presentation and HTTP content retrieval Response Internet HTML, images, JavaScript engine, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 9
Web 2.0 – AJAX Paradigm (cont.) Firewall Web Application Server Network Directory Server Service HTTP GET, HTTP GET, POST, PUT, POST, PUT, DELETE, HEAD, DELETE, HEAD, etc User interacts etc Corporate User interacts Network with AJAX HTTP with AJAX engine Request engine Internet HTTP XML, JSON, Response JavaScript Objects, text, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 10
Web 2.0 – Server Side Aggregations Look familiar? It’s data integration all over again… Firewall New data, new transport, Web same old problems Application Server pulls Server Network Server pulls Directory external RSS, ATOM, external Server XML, etc information information External Feeds and Services User interacts Corporate User interacts Network with web app with web app server server Internet Aggregate content page This, of course could There are also models for Web also be an AJAX-based Browser application client-side (browser) aggregation January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 11
What are the Threats? Threats Against The Client New Attack New Attack Surface: the Surface: the AJAX engine AJAX engine itself itself AJAX Engine Loads of potential parameter & injection attacks. Attempts to hijack session tokens, cookies, etc. Cross Site Scripting (XSS), Cross Site Reference Forgery (XSRF) Lots of potentially dangerous Lots of potentially dangerous things to query or even set. things to query or even set. Consider DOM: Consider DOM: document.URL document.URL document.cookie document.cookie Web document.domain document.domain Browser document.referrer document.referrer etc… etc… Turn off JavaScript??? No. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 12
What are the Threats (cont.)? Firewall Threats Against The Server Web Application Server Classic Attack Classic Attack Surface, but Surface, but with new with new challenges challenges 80, 443 In: Richer parameter attacks, XML-based DOS Corporate attacks, etc Network Out: Information leaking, integrity compromise, injection, etc Big problem: XML parsers are just too helpful and naive January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 13
What are the Threats (cont.)? Threats Against Content External Feeds and Services In: Session hijacking, unauthorized access, etc Out: Integrity compromise, injection of poison content Corporate like scripts into XML, etc Network Another classic attack Another classic attack surface, but with still surface, but with still more new challenges more new challenges Note that the aggregator is just another web client. It’s not a browser, but many similar attack still apply January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 14
Why Should You Care? Big questions around corporate responsibility Regulatory issues around privacy (HIPAA, PIPEDA, etc) Regulatory issues around accountability (Sarbox, etc) Liability for forged transaction Liability for damage from compromised servers Not to mention huge issues around brand and reputation damage accrued from a significant security event January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 15
Tactical Security Measures Clients (browsers) Tough area to secure Must ensure you are serving solid code Rigorous code review AJAX has submarine complexity Ensure that data streams you serve are validated Redaction, strict validation to tightened schemas Servers offer Servers offer clean and secure clean and secure code code Servers offer Servers offer validated and validated and cleansed data cleansed data The problem with JavaScript is that it makes it easy to Web write code, but hard to Browser write secure code January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 16
Tactical Security Measures (cont.) Core Servers (Web application servers) More control, and more mature best practices Add rigorous AuthN, AuthR, Audit Look at cryptographic model Inward: DOS protect Threat protect Parameter validate Outward: Schema validation and redaction Validate Validate params params Validate and Validate and cleanse data cleanse data What makes this difficult is the Secure channel added complexity of XML data Secure channel structures, and the richer attack surface of service-based APIs January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 17
Tactical Security Measures (cont.) Aggregation Servers (Application servers) Emerging area, with few best practices Encourage authenticated access model You may be forced into this anyway… Look at cryptographic model Incoming data: Validate feed content Strip potential exploits like embedded <SCRIPT> tags Authenticate Authenticate access access The big problem here is you may not have control of the source of the data. A large number of sites are cracking down Validate and on “unauthorized” use in mashups. Validate and threat protect threat protect data feed Furthermore, APIs may change data feed radically, making it critical to validate the incoming feed against a schema to Secure channel Secure channel catch API updates January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 18
Thanks For Nothing Scott: “So How Do I Really Do This?” You could just build it into your systems… But that is brittle and error-prone What you really need is specialized infrastructure built for this purpose Needs to be: High performance Scalable Simple to configure And most important: offer tunable security policy January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 19
Why Tunable Policy? Not all services are equal: Not all services are equal: getStockQuote(): anonymous access, unsecure channel buyStock(): authenticated and authorized access, secured (integrity and privacy) channel or message Policy (the security Policy (the security processing model) must processing model) must be customized to the be customized to the business requirements business requirements January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 20
Securing Web 2.0: SecureSpan Data Screen™ January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 21
Securing Web 2.0: SecureSpan Data Screen™ Hardware appliance for Web, REST, & AJAX security processing. ASICs for XML schema validation, XPath, XSLT, cryptographic operations Fully clustered Policy-based processing model Browser-based management and operations console Integration with all major directory, IAM, access control servers Integration with Symantec antivirus scan engine Web Browser-based SecureSpan Data Screen™ management and cluster operations January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 22
Securing Web 2.0: SecureSpan Data Screen™ Wire speed schema validation of XML entering network Wire speed schema validation of XML entering network Rigorous HTTP parameter validation Rigorous HTTP parameter validation Tight control over HTTP methods (GET, POST, Web Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST. Application DELETE, PUT, etc). Control over REST. Server Network Hardware transformation of XML content in and out of Hardware transformation of XML content in and out of Directory network network Server Throttle access to back end services Throttle access to back end services Traffic shaping across server farms Traffic shaping across server farms XML threat detection XML threat detection Endpoint for SSL and XML document security Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C (encryption, signature & canonicalization according to W3C specs) specs) Controlled striping of <SCRIPT>, eval() (PHP, JS, Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS Python, etc), shell injection attacks, etc to combat XSS Corporate Network Internet Web Gateway Deployment Gateway Deployment Browser For Incoming Calls For Incoming Calls January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 23
Securing Web 2.0: SecureSpan Data Screen™ Proxy Deployment For Proxy Deployment For Outgoing Calls Outgoing Calls Web Application Server Network RSS, ATOM, XML, etc Directory Server External Services Corporate Network Wire speed validation of XML entering network Wire speed validation of XML entering network Stripping of potential harmful data in feeds Stripping of potential harmful data in feeds (<SCRIPT>, etc) (<SCRIPT>, etc) Web Management of outgoing cryptography and credentials Management of outgoing cryptography and credentials Browser Wire speed transformation of XML data to insulate Wire speed transformation of XML data to insulate internal servers from external API changes internal servers from external API changes January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 24
Summary Web 2.0 and the technologies associated with it are too good to ignore However, they introduce huge new security complexities The only way to deal with these effectively is with diligence, rigor, and specialized infrastructure to manage an evolving threat model Layer 7’s SecureSpan Data Screen™ provides the tools to help secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 25
For further information: K. Scott Morrison Layer 7 Technologies 1501 – 700 West Georgia St. Vancouver, B.C. V7Y 1B6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.com January 2007

Recommandé

The spring 32 update final
The spring 32 update finalThe spring 32 update final
The spring 32 update finalJoshua Long
 
2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical Update2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical UpdateWSO2
 
MoMoAthens Cross-Screen_Introduction to Webinos by Webinos
MoMoAthens Cross-Screen_Introduction to Webinos by WebinosMoMoAthens Cross-Screen_Introduction to Webinos by Webinos
MoMoAthens Cross-Screen_Introduction to Webinos by WebinosMobile Monday Athens
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbWen Zhu
 
Mesh-Enabled Web Applications
Mesh-Enabled Web ApplicationsMesh-Enabled Web Applications
Mesh-Enabled Web Applicationsgoodfriday
 
Sql 2008 and project server 2010
Sql 2008 and project server 2010Sql 2008 and project server 2010
Sql 2008 and project server 2010Eduardo Castro
 
MA02-1760 Hosting.spec sht
MA02-1760 Hosting.spec shtMA02-1760 Hosting.spec sht
MA02-1760 Hosting.spec shtwebhostingguy
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 

Recommandé

The spring 32 update final
The spring 32 update finalThe spring 32 update final
The spring 32 update finalJoshua Long
 
2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical Update2009 Q2 WSO2 Technical Update
2009 Q2 WSO2 Technical UpdateWSO2
 
MoMoAthens Cross-Screen_Introduction to Webinos by Webinos
MoMoAthens Cross-Screen_Introduction to Webinos by WebinosMoMoAthens Cross-Screen_Introduction to Webinos by Webinos
MoMoAthens Cross-Screen_Introduction to Webinos by WebinosMobile Monday Athens
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbWen Zhu
 
Mesh-Enabled Web Applications
Mesh-Enabled Web ApplicationsMesh-Enabled Web Applications
Mesh-Enabled Web Applicationsgoodfriday
 
Sql 2008 and project server 2010
Sql 2008 and project server 2010Sql 2008 and project server 2010
Sql 2008 and project server 2010Eduardo Castro
 
MA02-1760 Hosting.spec sht
MA02-1760 Hosting.spec shtMA02-1760 Hosting.spec sht
MA02-1760 Hosting.spec shtwebhostingguy
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 
Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services PlatformDavid Chou
 
Multi client Development with Spring
Multi client Development with SpringMulti client Development with Spring
Multi client Development with SpringJoshua Long
 
Resource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkResource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkThomas Pham
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
T04f
T04fT04f
T04fMartha Kuras
 
Layer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOALayer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOACA API Management
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big Mike Martin
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Metron
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsEffectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsMicrosoft Mobile Developer
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 

Contenu connexe

Similaire à Layer 7: Securing Web 2.0 - What You Need to Know

Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services PlatformDavid Chou
 
Multi client Development with Spring
Multi client Development with SpringMulti client Development with Spring
Multi client Development with SpringJoshua Long
 
Resource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkResource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkThomas Pham
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Layer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOALayer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOACA API Management
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big Mike Martin
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Metron
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsEffectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsMicrosoft Mobile Developer
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahowaspindia
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
 

Similaire à Layer 7: Securing Web 2.0 - What You Need to Know (20)

Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services Platform
 
Multi client Development with Spring
Multi client Development with SpringMulti client Development with Spring
Multi client Development with Spring
 
Resource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkResource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor Network
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
T04f
T04fT04f
T04f
 
Layer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOALayer 7: Building Multi Enterprise SOA
Layer 7: Building Multi Enterprise SOA
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big SQLUG event: An evening in the cloud: the old, the new and the big
SQLUG event: An evening in the cloud: the old, the new and the big
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web appsEffectively using Nokia Web Tools 2.0 templates for Series 40 web apps
Effectively using Nokia Web Tools 2.0 templates for Series 40 web apps
 
Find me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shahFind me if you can – smart fuzzing and discovery! shreeraj shah
Find me if you can – smart fuzzing and discovery! shreeraj shah
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case Study
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement Management
 

Plus de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

Plus de CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Dernier

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Layer 7: Securing Web 2.0 - What You Need to Know

  • 1. Securing Web 2.0 What You Need to Know K. Scott Morrison VP Engineering and Chief Architect January 2007
  • 2. Bio – K. Scott Morrison VP Engineering & Chief Architect at Layer 7 Technologies • http://www.layer7tech.com • Layer 7 is based in Vancouver BC, Canada Co-author of Sams’ Java Web Services Unleashed and Wrox’s Professional JMS • Over 50 other publications in academic journals and trade magazines Co-Editor WS-I Basic Security Profile Co-Author WS-Federation Frequent speaker on Web services, XML, mobile/wireless computing systems, distributed systems architecture, and Java design issues January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 2
  • 3. Agenda Web 2.0 AJAX What’s new about this? The collision between AJAX & SOA What are the new threat vectors Mitigation strategies Infrastructure solutions January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 3
  • 4. Web 2.0 Web 2.0 isn’t a technology It’s actually an approach to building for the Web Web 2.0 is: MySpace Aggregation of content Flickr Collaboration Google Maps Google Gmail Synergizing the efforts of individuals Google Suggest del.icio.us Rich interaction models …etc Remember: “You” is not a technology Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 4
  • 5. AJAX AJAX is an approach underpinning Web 2.0 Provides rich browser interaction models This contributes to goal of fostering individual contributions Can also be used to aggregate content AJAX is really a slick new name for existing technology: 1. (X)HTML and CSS for presentation markup 2. DOM and JavaScript for dynamic content 3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack for asynchronous content retrieval 4. XML, JSON, JavaScript Objects, or just text for data communication So what is different here? January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 5
  • 6. Web 1.0 Firewall Web Application Server Network Directory Server User clicks link, User clicks link, presses button, presses button, is referred, etc is referred, etc Corporate Network Internet Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 6
  • 7. Web 1.0 (cont.) Firewall Web Application Server Network Directory Server AuthN, AuthN, AuthR AuthR HTTP headers+ Query params or POST contents HTTP GET or HTTP GET or Corporate POST POST Network Internet HTTP Request Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 7
  • 8. Web 1.0 (cont.) Firewall Web Application Server Network Directory Server New page New page rendered rendered Corporate Network HTTP Internet Response HTML, images, JavaScript, etc User experiences long Web Browser latency delays that affects usability January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 8
  • 9. Web 2.0 – AJAX Paradigm Firewall Web Application Server Network Directory Server … Request as before … Request as before Page load HTML Page load HTML with embedded with embedded JavaScript Engine Corporate JavaScript Engine Separation between Network presentation and HTTP content retrieval Response Internet HTML, images, JavaScript engine, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 9
  • 10. Web 2.0 – AJAX Paradigm (cont.) Firewall Web Application Server Network Directory Server Service HTTP GET, HTTP GET, POST, PUT, POST, PUT, DELETE, HEAD, DELETE, HEAD, etc User interacts etc Corporate User interacts Network with AJAX HTTP with AJAX engine Request engine Internet HTTP XML, JSON, Response JavaScript Objects, text, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 10
  • 11. Web 2.0 – Server Side Aggregations Look familiar? It’s data integration all over again… Firewall New data, new transport, Web same old problems Application Server pulls Server Network Server pulls Directory external RSS, ATOM, external Server XML, etc information information External Feeds and Services User interacts Corporate User interacts Network with web app with web app server server Internet Aggregate content page This, of course could There are also models for Web also be an AJAX-based Browser application client-side (browser) aggregation January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 11
  • 12. What are the Threats? Threats Against The Client New Attack New Attack Surface: the Surface: the AJAX engine AJAX engine itself itself AJAX Engine Loads of potential parameter & injection attacks. Attempts to hijack session tokens, cookies, etc. Cross Site Scripting (XSS), Cross Site Reference Forgery (XSRF) Lots of potentially dangerous Lots of potentially dangerous things to query or even set. things to query or even set. Consider DOM: Consider DOM: document.URL document.URL document.cookie document.cookie Web document.domain document.domain Browser document.referrer document.referrer etc… etc… Turn off JavaScript??? No. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 12
  • 13. What are the Threats (cont.)? Firewall Threats Against The Server Web Application Server Classic Attack Classic Attack Surface, but Surface, but with new with new challenges challenges 80, 443 In: Richer parameter attacks, XML-based DOS Corporate attacks, etc Network Out: Information leaking, integrity compromise, injection, etc Big problem: XML parsers are just too helpful and naive January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 13
  • 14. What are the Threats (cont.)? Threats Against Content External Feeds and Services In: Session hijacking, unauthorized access, etc Out: Integrity compromise, injection of poison content Corporate like scripts into XML, etc Network Another classic attack Another classic attack surface, but with still surface, but with still more new challenges more new challenges Note that the aggregator is just another web client. It’s not a browser, but many similar attack still apply January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 14
  • 15. Why Should You Care? Big questions around corporate responsibility Regulatory issues around privacy (HIPAA, PIPEDA, etc) Regulatory issues around accountability (Sarbox, etc) Liability for forged transaction Liability for damage from compromised servers Not to mention huge issues around brand and reputation damage accrued from a significant security event January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 15
  • 16. Tactical Security Measures Clients (browsers) Tough area to secure Must ensure you are serving solid code Rigorous code review AJAX has submarine complexity Ensure that data streams you serve are validated Redaction, strict validation to tightened schemas Servers offer Servers offer clean and secure clean and secure code code Servers offer Servers offer validated and validated and cleansed data cleansed data The problem with JavaScript is that it makes it easy to Web write code, but hard to Browser write secure code January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 16
  • 17. Tactical Security Measures (cont.) Core Servers (Web application servers) More control, and more mature best practices Add rigorous AuthN, AuthR, Audit Look at cryptographic model Inward: DOS protect Threat protect Parameter validate Outward: Schema validation and redaction Validate Validate params params Validate and Validate and cleanse data cleanse data What makes this difficult is the Secure channel added complexity of XML data Secure channel structures, and the richer attack surface of service-based APIs January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 17
  • 18. Tactical Security Measures (cont.) Aggregation Servers (Application servers) Emerging area, with few best practices Encourage authenticated access model You may be forced into this anyway… Look at cryptographic model Incoming data: Validate feed content Strip potential exploits like embedded <SCRIPT> tags Authenticate Authenticate access access The big problem here is you may not have control of the source of the data. A large number of sites are cracking down Validate and on “unauthorized” use in mashups. Validate and threat protect threat protect data feed Furthermore, APIs may change data feed radically, making it critical to validate the incoming feed against a schema to Secure channel Secure channel catch API updates January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 18
  • 19. Thanks For Nothing Scott: “So How Do I Really Do This?” You could just build it into your systems… But that is brittle and error-prone What you really need is specialized infrastructure built for this purpose Needs to be: High performance Scalable Simple to configure And most important: offer tunable security policy January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 19
  • 20. Why Tunable Policy? Not all services are equal: Not all services are equal: getStockQuote(): anonymous access, unsecure channel buyStock(): authenticated and authorized access, secured (integrity and privacy) channel or message Policy (the security Policy (the security processing model) must processing model) must be customized to the be customized to the business requirements business requirements January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 20
  • 21. Securing Web 2.0: SecureSpan Data Screen™ January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 21
  • 22. Securing Web 2.0: SecureSpan Data Screen™ Hardware appliance for Web, REST, & AJAX security processing. ASICs for XML schema validation, XPath, XSLT, cryptographic operations Fully clustered Policy-based processing model Browser-based management and operations console Integration with all major directory, IAM, access control servers Integration with Symantec antivirus scan engine Web Browser-based SecureSpan Data Screen™ management and cluster operations January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 22
  • 23. Securing Web 2.0: SecureSpan Data Screen™ Wire speed schema validation of XML entering network Wire speed schema validation of XML entering network Rigorous HTTP parameter validation Rigorous HTTP parameter validation Tight control over HTTP methods (GET, POST, Web Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST. Application DELETE, PUT, etc). Control over REST. Server Network Hardware transformation of XML content in and out of Hardware transformation of XML content in and out of Directory network network Server Throttle access to back end services Throttle access to back end services Traffic shaping across server farms Traffic shaping across server farms XML threat detection XML threat detection Endpoint for SSL and XML document security Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C (encryption, signature & canonicalization according to W3C specs) specs) Controlled striping of <SCRIPT>, eval() (PHP, JS, Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS Python, etc), shell injection attacks, etc to combat XSS Corporate Network Internet Web Gateway Deployment Gateway Deployment Browser For Incoming Calls For Incoming Calls January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 23
  • 24. Securing Web 2.0: SecureSpan Data Screen™ Proxy Deployment For Proxy Deployment For Outgoing Calls Outgoing Calls Web Application Server Network RSS, ATOM, XML, etc Directory Server External Services Corporate Network Wire speed validation of XML entering network Wire speed validation of XML entering network Stripping of potential harmful data in feeds Stripping of potential harmful data in feeds (<SCRIPT>, etc) (<SCRIPT>, etc) Web Management of outgoing cryptography and credentials Management of outgoing cryptography and credentials Browser Wire speed transformation of XML data to insulate Wire speed transformation of XML data to insulate internal servers from external API changes internal servers from external API changes January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 24
  • 25. Summary Web 2.0 and the technologies associated with it are too good to ignore However, they introduce huge new security complexities The only way to deal with these effectively is with diligence, rigor, and specialized infrastructure to manage an evolving threat model Layer 7’s SecureSpan Data Screen™ provides the tools to help secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 25
  • 26. For further information: K. Scott Morrison Layer 7 Technologies 1501 – 700 West Georgia St. Vancouver, B.C. V7Y 1B6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.com January 2007