<!

doctype html>

SECURITY
OWASP Helsinki 15.6.2011

beyond the attack vectors

Ville Svuori

I AM NOT A SECURITY EXPERT

(But a Web Developer :)

<!doctype html>

html

API Metering Backups & Snapshots Counters Cloud/Cluster Management Tools

Distributed Log storage, analysis Graphing HTTP Caching Input/Output Filtering Memory Caching Non-relational Key Stores Rate Limiting Relational Storage Queues Rate Limiting Real-time messaging (XMPP) Search

Instrumentation/Monitoring Failover Node addition/removal and hashing Auto-scaling for cloud resources

CSRF/XSS Protection Data Retention/Archival Deployment Tools

Multiple Devs, Staging, Prod Data model upgrades Rolling deployments Multiple versions (selective beta) Bucket Testing Rollbacks CDN Management

Ranging Geo

Sharding Smart Caching

Dirty-table management

Distributed File Storage

http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites

complex

http://www.flickr.com/photos/stuckincustoms/5069047950/

what is it?

Markup like Guido intended it.

Markup like Guido Tim intended it.

Not Just Markup anymore.

security

<header> <audio> <video> <canvas> <footer>

<audio>

<audio src='foo.mp4' preload='auto'>

<input type='email' required pattern='.*@syneus\.fi'>

HTTP/1.1 200 OK Date: Wed, 15 Jun 2011 17:45:00 GMT Server: Nginx/1.0.4 Access-Control-Allow-Origin: http://syneus.fi

local storage
localStorage.setItem('name', 'Hello World!');

Web Forms 2.0

SVG

CSS3
div > p:last-of-type { ... }

GeoLocation
navigator.geolocation.getCurrentPosition(show_map);

<iframe sandbox="allow-scripts">

in the wild

http://www.flickr.com/photos/sharkbait/2992242065/

common issues

http://www.flickr.com/photos/rainbirder/5068808204/

XSS
http://www.flickr.com/photos/rainbirder/5068808204/

XSRF
http://www.flickr.com/photos/rainbirder/5068808204/

SQL Injection
http://www.flickr.com/photos/rainbirder/5068808204/

Clickjacking
http://www.flickr.com/photos/rainbirder/5068808204/

ways to protect

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

understand threats

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

understand threats no, really.

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

sanitation

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

test your code

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

test your code regularly.

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

test your code often.

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

stay updated

http://www.flickr.com/photos/soldiersmediacenter/5285447846/

The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words insert, delete, drop, update, null, or select.
Sacramento Credit Union

http://www.flickr.com/photos/remydwd/48898192/

Best practices

http://www.flickr.com/photos/amagill/51806161/

trust no one

http://www.flickr.com/photos/furryscalyman/673915993/

use good tools

Let frameworks help you.

but dont trust them blindly

Again. Understand what youre doing.

use secure protocols

HTTPS over HTTP

outsource
or

hire someone
but at least

use a checklist

understand your users

Mere mortals dont behave like nerds.

educate them
Why is it important to have a good password?

MORE
html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5

Kiitos!
Ville Svuori @uninen

MORE
html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5