Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
No Web Sit e Lef t Behind:
   Ar e We Making Web Secur it y
         Only f or t he Elit e?




     Ter r i Oda and Anil ...
Page Cr eat ors
  ar e not all
Progr ammers
Deigner
               Art Direct or
           Web developer
 Graphic Artist

                  Logo creator
Web Designer...
Moter                   Citizen
          Minister
                     Gaming guild leader
 Entrepreneur
                ...
Web Secur it y
    is f or
Progr ammers
=
Problem: Gr emlins in t he Engine
Saf er Coding Pr act ices
Taint ing
Taint ing
Known Exploit Det ect ion

               Look!




      Look!




               Look!




                   Look!
Known Exploit Det ect ion

               Look!




      Look!




               Look!




                   Look!
Mashup Prot ect ions
The language of secur it y
CWE/SANS TOP 25 Most Dangerous Programming Errors                            SANS
             ...
Non-Progr ammers
    st ill need
    Secur it y
64% of websites currently have a serious vulnerability
       Web hit by high tech crime wave
                        When...
Deign


afects


Securty
So... Now What ?
security costs > risk?
Mor e secur e
inf r ast r uct ur e
        and
       t ools
Educat ion
Minimal Int er vent ions
Separ at ion bet ween
secur it y and design
Of oad t o someone else
 l
 f


       ●   Ot her s in t he or ganizat ion
           ●   e.g. Syst ems administ r at or
 ...
Quest ions?




 t er r i@ccsl.car let on.ca
No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?
Prochain SlideShare
Chargement dans…5
×

No Website Left Behind: Are We Making Web Security Only for the Elite?

3 202 vues

Publié le

Web security explanations and solutions have been designed for programmers, but many of the people who create pages do not have a programming background. This presentation explains why this is a problem, and suggests some ways we can improve the state of web security.

This was presented at W2SP 2010 on May 20th. It may not be very useful until I have time to create an audio track, so in the meantime please check out the annotated slides on webinsecurity.net for more explanation.

Publié dans : Technologie
  • Soyez le premier à commenter

No Website Left Behind: Are We Making Web Security Only for the Elite?

  1. 1. No Web Sit e Lef t Behind: Ar e We Making Web Secur it y Only f or t he Elit e? Ter r i Oda and Anil Somayaji Car let on Universit y, Ot t awa, Canada
  2. 2. Page Cr eat ors ar e not all Progr ammers
  3. 3. Deigner Art Direct or Web developer Graphic Artist Logo creator Web Designer Creative Director
  4. 4. Moter Citizen Minister Gaming guild leader Entrepreneur Real estate agent Journalist Soccer Coach Teacher Writer Pet Owner Worker Student Repair Tech
  5. 5. Web Secur it y is f or Progr ammers
  6. 6. =
  7. 7. Problem: Gr emlins in t he Engine
  8. 8. Saf er Coding Pr act ices
  9. 9. Taint ing
  10. 10. Taint ing
  11. 11. Known Exploit Det ect ion Look! Look! Look! Look!
  12. 12. Known Exploit Det ect ion Look! Look! Look! Look!
  13. 13. Mashup Prot ect ions
  14. 14. The language of secur it y CWE/SANS TOP 25 Most Dangerous Programming Errors SANS Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser WASC instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the OWASP security of application software. define R1 ≡ all URIs accepted by the first HTTP header CSP Mozilla define R2 ≡ all URIs accepted by the second HTTP header CSP CSP Re = {r | r ∈ R1 AND r ∈ R2} (Re is the set of all URIs accepted by the intersected CSP)
  15. 15. Non-Progr ammers st ill need Secur it y
  16. 16. 64% of websites currently have a serious vulnerability Web hit by high tech crime wave When Web 2.0 Becomes Security Risk 2.0 75% of web sites with malicious code are compromised legitimate sites More than 100 attacks a second Malware delivered by Yahoo, Fox, Google ads 83% of sites have had a serious vulnerability Popular Facebook Game Caught Serving Malvertisements 78% of reported vulnerabilities were web related in Q1-2 2009
  17. 17. Deign afects Securty
  18. 18. So... Now What ?
  19. 19. security costs > risk?
  20. 20. Mor e secur e inf r ast r uct ur e and t ools
  21. 21. Educat ion
  22. 22. Minimal Int er vent ions
  23. 23. Separ at ion bet ween secur it y and design
  24. 24. Of oad t o someone else l f ● Ot her s in t he or ganizat ion ● e.g. Syst ems administ r at or ● Users ● Out side exper t s
  25. 25. Quest ions? t er r i@ccsl.car let on.ca

×