No Website Left Behind: Are We Making Web Security Only for the Elite?

Post on 15-Jan-2015

2.248 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Web security explanations and solutions have been designed for programmers, but many of the people who create pages do not have a programming background. This presentation explains why this is a problem, and suggests some ways we can improve the state of web security. This was presented at W2SP 2010 on May 20th. It may not be very useful until I have time to create an audio track, so in the meantime please check out the annotated slides on webinsecurity.net for more explanation.

Transcript of No Website Left Behind: Are We Making Web Security Only for the Elite?

No Web Site Lef t Behind: Are We Making Web Secur ity

Only for the Elite?

Terr i Oda and Anil Somayaji Car leton University, Ot tawa, Canada

Page Creatorsare not all

Programmers

Web developer

Deigner

Creative Director

Graphic Artist

Art Director

Logo creator Web Designer

Moter

Soccer Coach

Gaming guild leader

Pet Owner

Journalist

Student

Writer

Repair Tech

Entrepreneur

Teacher

MinisterCitizen

Worker

Real estate agent

Web Secur ityis for

Programmers

=

Problem: Gremlins in the Engine

Safer Coding Pract ices

Taint ing

Taint ing

Known Exploit Detect ion

Look!

Look!

Look!

Look!

Known Exploit Detect ion

Look!

Look!

Look!

Look!

Mashup Protect ions

The language of secur it y

define R1 ≡ all URIs accepted by the first HTTP header CSPdefine R2 ≡ all URIs accepted by the second HTTP header CSPRe = {r | r ∈ R1 AND r ∈ R2}(Re is the set of all URIs accepted by the intersected CSP)

CWE/SANS TOP 25 Most Dangerous Programming Errors

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client.

SANS

MozillaCSP

OWASP

WASC

Non-Programmersst ill needSecur it y

Popular Facebook Game Caught Serving Malvertisements

64% of websites currently have a serious vulnerability

When Web 2.0 Becomes Security Risk 2.0

Malware delivered by Yahoo, Fox, Google ads

More than 100 attacks a second

78% of reported vulnerabilities were web related in Q1-2 2009

83% of sites have had a serious vulnerability

Web hit by high tech crime wave

75% of web sites with malicious code are compromised legitimate sites

Deign afects Securty

So... Now What?

security costs > risk?

More secure inf rast ructure

andtools

Educat ion

Minimal Intervent ions

Separat ion between secur it y and design

Offl oad to someone else

● Others in the organizat ion● e.g. Systems administ rator

● Users● Outside experts

Quest ions?

terr i@ccsl.car leton.ca

Top related

No Property Left Behind
 Documents
All Children Left Behind
 Documents
Don’t get left behind.
 Documents
No Subject Left Behind
 Documents
NO TEACHER LEFT BEHIND:
 Documents
11.30.12_No athlete left behind
 Documents
Left side compressor behind Left control box Right side compressor behind Right control box.
 Documents
Getting Left Behind
 Documents
WOMEN LEFT BEHIND
 Documents
No Data Left Behind
 Documents
No Child Left Behind
 Education
No bid left behind
 Software
Children Left Behind
 Documents
No Teenager Left Behind
 Documents
The Left Behind* series Left Behind - Higher Intellect | Content
 Documents
Gifts He Left Behind
 Spiritual
Our Communities Left Behind
 Documents
No Child Left Behind The New Age: No Child Left Behind.
 Documents
The Economic Imperative Behind No Child Left Behind.
 Documents
Left Behind evaluation
 Education

Copyright © 2022 FDOCUMENTS