Scribd
Upload
359 views52 pages

Web Security Best Practices Guide

HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

Uploaded by

Ville Säävuori
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
359 views52 pages

Web Security Best Practices Guide

HTML5 Security -- Beyond attack vectors. Slides from my presentation at OWASP meeting in Helsinki Finland, 15 June 2011.

Uploaded by

Ville Säävuori
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

<!

doctype html>

SECURITY
OWASP Helsinki 15.6.2011

beyond the attack vectors

Ville Svuori

I AM NOT A SECURITY EXPERT


(But a Web Developer :)

<!doctype html>

html

API Metering Backups & Snapshots Counters Cloud/Cluster Management Tools


Distributed Log storage, analysis Graphing HTTP Caching Input/Output Filtering Memory Caching Non-relational Key Stores Rate Limiting Relational Storage Queues Rate Limiting Real-time messaging (XMPP) Search

Instrumentation/Monitoring Failover Node addition/removal and hashing Auto-scaling for cloud resources

CSRF/XSS Protection Data Retention/Archival Deployment Tools


Multiple Devs, Staging, Prod Data model upgrades Rolling deployments Multiple versions (selective beta) Bucket Testing Rollbacks CDN Management

Ranging Geo

Sharding Smart Caching

Dirty-table management

Distributed File Storage

[Link]

complex

[Link]

what is it?

Markup like Guido intended it.

Markup like Guido Tim intended it.

Not Just Markup anymore.

security

<header> <audio> <video> <canvas> <footer>

<audio>

<audio src='foo.mp4' preload='auto'>

<input type='email' required pattern='.*@syneus\.fi'>

HTTP/1.1 200 OK Date: Wed, 15 Jun 2011 [Link] GMT Server: Nginx/1.0.4 Access-Control-Allow-Origin: [Link]

local storage
[Link]('name', 'Hello World!');

Web Forms 2.0

SVG

CSS3
div > p:last-of-type { ... }

GeoLocation
[Link](show_map);

<iframe sandbox="allow-scripts">

in the wild

[Link]

common issues

[Link]

XSS
[Link]

XSRF
[Link]

SQL Injection
[Link]

Clickjacking
[Link]

ways to protect

[Link]

understand threats

[Link]

understand threats no, really.


[Link]

sanitation

[Link]

test your code

[Link]

test your code regularly.


[Link]

test your code often.


[Link]

stay updated

[Link]

The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words insert, delete, drop, update, null, or select.
Sacramento Credit Union

[Link]

Best practices

[Link]

trust no one

[Link]

use good tools


Let frameworks help you.

but dont trust them blindly


Again. Understand what youre doing.

use secure protocols


HTTPS over HTTP

outsource
or

hire someone
but at least

use a checklist

understand your users


Mere mortals dont behave like nerds.

educate them
Why is it important to have a good password?

MORE
[Link] [Link]/web_security [Link]/aiheet/html5

Kiitos!
Ville Svuori @uninen

MORE
[Link] [Link]/web_security [Link]/aiheet/html5

You might also like