You will be exposed to Web 2.0 insecurities, no matter what.
Web 2.0: User-Centric (user as developer); distributed; open (and open source); lightweight (user friendly)
- What makes Web 2.0 applications insecure?
- What technologies and practices will secure Web 2.0?
Ajax, LAMP, SOAP: Lightweight. It is not the webmaster that selects content, no project manager, no network administrator, no DBA, no business analyst defining the taxonomy. Results are risky for us, and for banks, businesses…
Availability of resources—those resources that we can use to analyse our applications (SAST and DAST) can be used by attackers as well (which means it is even more important that we use them).
Openness and collaborations as a threat—deep linking, Mashups, RSS, iFrames—these things are a threat to advertising revenues (as it is main web pages that contain the advertising.
SOA as a threat—reusable services==reusable security vulnerabilities. WSDL and UDDI disclose information to hackers. Legacies in SOA are exposed to new (web) types of attacks.
SWOT for Web 2.0 Application Security
Strengths
| Weaknesses
|
Threats
| Opportunities
|
Recommends tactical acquisition of DAST and SAST—these technologies are not likely to disappear. Check out the slide deck for the hype curve and list of vendors for DAST and SAST. Need to look into monitors and scanners for DBMS, network and application.
Do Software Composition Analysis—validate the IP of components; validate the security/functionality of patches; validate releases. Black Duck and Palamida are the vendors.
Mashups: Validate all input; examine license compliance; filter content presented to customers; formalize SLAs with third parties; expect abuse in unpredictable ways; prepare for HTML/XML screen scraping and iFrames.
No comments:
Post a Comment