no website left behind: are we making web security only for the elite?
DESCRIPTION
Web security explanations and solutions have been designed for programmers, but many of the people who create pages do not have a programming background. This presentation explains why this is a problem, and suggests some ways we can improve the state of web security. This was presented at W2SP 2010 on May 20th. It may not be very useful until I have time to create an audio track, so in the meantime please check out the annotated slides on webinsecurity.net for more explanation.TRANSCRIPT
No Web Site Lef t Behind: Are We Making Web Secur ity
Only for the Elite?
Terr i Oda and Anil Somayaji Car leton University, Ot tawa, Canada
Page Creatorsare not all
Programmers
Web developer
Deigner
Creative Director
Graphic Artist
Art Director
Logo creator Web Designer
Moter
Soccer Coach
Gaming guild leader
Pet Owner
Journalist
Student
Writer
Repair Tech
Entrepreneur
Teacher
MinisterCitizen
Worker
Real estate agent
Web Secur ityis for
Programmers
=
Problem: Gremlins in the Engine
Safer Coding Pract ices
Taint ing
Taint ing
Known Exploit Detect ion
Look!
Look!
Look!
Look!
Known Exploit Detect ion
Look!
Look!
Look!
Look!
Mashup Protect ions
The language of secur it y
define R1 ≡ all URIs accepted by the first HTTP header CSPdefine R2 ≡ all URIs accepted by the second HTTP header CSPRe = {r | r ∈ R1 AND r ∈ R2}(Re is the set of all URIs accepted by the intersected CSP)
CWE/SANS TOP 25 Most Dangerous Programming Errors
The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client.
SANS
MozillaCSP
OWASP
WASC
Non-Programmersst ill needSecur it y
Popular Facebook Game Caught Serving Malvertisements
64% of websites currently have a serious vulnerability
When Web 2.0 Becomes Security Risk 2.0
Malware delivered by Yahoo, Fox, Google ads
More than 100 attacks a second
78% of reported vulnerabilities were web related in Q1-2 2009
83% of sites have had a serious vulnerability
Web hit by high tech crime wave
75% of web sites with malicious code are compromised legitimate sites
Deign afects Securty
So... Now What?
security costs > risk?
More secure inf rast ructure
andtools
Educat ion
Minimal Intervent ions
Separat ion between secur it y and design
Offl oad to someone else
● Others in the organizat ion● e.g. Systems administ rator
● Users● Outside experts
