Post on 26-Jun-2015
description
Risico’s Web 2.0
INTEGRATION as the problem to the answer…
© hans pronk 2008 (aka h@nzz.nl)
2
pre-WEB 2.0 security & integration
masters of integration orthe ultimate mash-up
trends in the new 2.0 era
deportalizationend of the walled garden SaaS
mash-upswidgets
user-centric identity
the rise of the platform
writable webAJAX
browser as THE ui: everywhere available
user-centric
social networks
syndicationPaaS
integration & security
controlcomplexitydata spillsnew new new
right or wrong?
..
the
visi
onai
r?
the newapplicationslandscape
complexity
platforms: the new paradigm:Google | Amazon | Microsoft Live Core | Carolina | Salesforce | 37Signals | (insert favourite platform here)
complexity hidingeconomics of scalespecialization
control & faith sharing
the ford firestone case
dealing with service levels / disaster recovery
dealing with popularity“The Remora Business Model”
syndication / rss / “dapper”
old school firewalls issues
“software is hard”
Donald E. Knuth
complexity
complexity
API designarchitecturescalinginside versus outside
SOAP versus REST
“put it to REST”?
transport versus message security
complexity
(accidental)integration on the desktopXSS/XSRF exploit of trust (user|web-
site)JSON
(missing) toolsIDS for app servers
http://www-1.ibm.com/support/docview.wss?uid=swg21233077&loc=%22%3Cbody%20onload=alert('OWNED')%3E%22
“<body onload=alert('OWNED‘)>”
example xss/xsrf
<img src = "http://bank.example/withdraw?account=bob&amount=1000000&for=mallory">
data spillsidentity management / privacy
Identity 2.0 aka “user centric identity management” (dick hard)
casual versus strict privacy
the case for OAuth!
open social?
data hygiene example: RSS-feeds
sharing with the world
(private) intelprofiling (ip-address?)
[Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr]
addressescontactspictures
whereabouts…
new… newer… newest
AJAXRuby (on Rails) / RJS / python / …lighttpd / mongrelllibraries, more libraries, and even more libraries
web treaths
Web 2.0 is a success, as the activities of the real world move online; the criminals follow the money, and the money is now online
credit card companies are still eating the losses; but some areas are making customers more liable for losses
web treaths
from highly visible media events to financially motivated threats
the true financial attacks don't want to lose connectivity, so infrastructure DDoS attacks are counterindicated
not just windows, now hitting Linux and Mac as well, aiming to compromise Linux servers
web treaths
large rise in misconfigured, rogue DNSresolvers; estimated 300,000 compromised DNS servers
Google finding 180,000 web servers serving malicious code in their crawls
“old” security mechanisms not enough / counterproductive
reduce complexity / decoupling
old principles are still truebe aware and…be what you are
wrapping-up…
www.twitter.com/hnzz
hnzz.jaiku.com
www.hnzz.nl
h@nzz.nl
2008, © h@nzz.nl,