Wednesday, 1 October 2008

Security in the Age of Web 2.0

You will be exposed to Web 2.0 insecurities, no matter what.

Web 2.0: User-Centric (user as developer); distributed; open (and open source); lightweight (user friendly)

  • What makes Web 2.0 applications insecure?
  • What technologies and practices will secure Web 2.0?

Ajax, LAMP, SOAP: Lightweight. It is not the webmaster that selects content, no project manager, no network administrator, no DBA, no business analyst defining the taxonomy. Results are risky for us, and for banks, businesses…

Availability of resources—those resources that we can use to analyse our applications (SAST and DAST) can be used by attackers as well (which means it is even more important that we use them).

Openness and collaborations as a threat—deep linking, Mashups, RSS, iFrames—these things are a threat to advertising revenues (as it is main web pages that contain the advertising.

SOA as a threat—reusable services==reusable security vulnerabilities. WSDL and UDDI disclose information to hackers. Legacies in SOA are exposed to new (web) types of attacks.

SWOT for Web 2.0 Application Security

Strengths

  • Good-enough technology
  • Increasing awareness
  • Pressure from Government and regulators

Weaknesses

  • Users less mature than tools
  • No developers responsibility
  • Misconceptions about:
    • Inward facing apps
    • Role of QA separate from security assurance
    • Network security is no replacement for defence in depth

Threats

  • Dual purpose technologies
  • Changing nature of attacks (from massive to targeted)
  • Hackers industry
  • Extreme openness, collaboration

Opportunities

  • Security solutions span over application lifecycle
  • Security built into applications
  • Evolution towards Security 3.0 (application security, separate from network security)


Recommends tactical acquisition of DAST and SAST—these technologies are not likely to disappear. Check out the slide deck for the hype curve and list of vendors for DAST and SAST. Need to look into monitors and scanners for DBMS, network and application.

Do Software Composition Analysis—validate the IP of components; validate the security/functionality of patches; validate releases. Black Duck and Palamida are the vendors.

Mashups: Validate all input; examine license compliance; filter content presented to customers; formalize SLAs with third parties; expect abuse in unpredictable ways; prepare for HTML/XML screen scraping and iFrames.

No comments: