http://www.flickr.com/photos/8407953@N03/5990642198/

THE ENEMY ON THE WEB

The web is extremely popular. (Web1.0, Web 2.0, Web 3.0)

It was not suppose to be. It was destined to be. (Web 1.0 -> Web 2.0 -> Web 3.0?)

numerous tech cobbled to make an incredible app delivery platform

(HTML5+CSS3+ES5+DOM+Node/PHP/Java+MongoDB/MySQL)

Today Web is extremely dominant.

And anything dominant gets scrutinized, misused, worse attacked.

So, WHO ARE THEY?

Usually 3 kinds!

SO WHAT THEY WANT?

Deface. Steal Credentials. Malware

For Root Cause #1. Let’s go back a few decades.

The telecom of 60’s – 80’s used in-band signaling.

i.e. sending control info and data on same channel.

Then came the free long distance calls.

In-band signaling in web a.k.a XSS

In-band signaling in web a.k.a SQL Injection

Root Cause #2 Insecure mashups: Ads, 3rd Parties, Customers

Iframe malicious redirect attacks

Drive-by-download/malware attacks

But we have Firewalls, IDS, XYZ, ABC, 123.And we also undergo pen test, code review, etc.

Q: Did it solve your problem?

Why chase the symptom?

Lets fix the problem

The Golden Rule. Defensive Coding. Everything has bad parts. Did you subset

the language you use?

Adopt/Build app frameworks that can bear the attack.

One’s that auto-defend. Auto Sanitize.Like MVC templates with auto-encoding.

Like NoSQL DBs, free of SQL Injection.

WARNING: Watch production readiness at http://www.browserscope.org/?category=security&v=top

Learn and Implement New Techniques.

(CSP, ES5, HTML5 Sandbox, PostMessage)

twitter: b1shanEmail: c70n3r@gmail.com

blog: http://bishankochher.blogspot.com/