SlideShare ist ein Scribd-Unternehmen logo

Risico's Web 2.0

hnzz pronk
hnzz pronk

Een korte overview van de risico aspecten van de brave new web 2.0 world.

Technologie
1 von 37
Downloaden Sie, um offline zu lesen
Risico’s Web 2.0 INTEGRATION as the problem to the answer… © hans pronk 2008 (aka h@nzz.nl)
pre-WEB 2.0 security & integration 2
masters of integration or the ultimate mash-up
trends in the new 2.0 era social networks writable web AJAX deportalization end of the walled garden SaaS PaaS syndication browser as THE ui: everywhere available widgets mash-ups the rise of the platform user-centric identity user-centric
integration & security control complexity data spills new new new
the visionair? right or wrong? ..
the new applications landscape
complexity platforms: the new paradigm: Google | Amazon | Microsoft Live Core | Carolina | Salesforce | 37Signals | (insert favourite platform here) complexity hiding economics of scale specialization
control & faith sharing the ford firestone case dealing with service levels / disaster recovery dealing with popularity “The Remora Business Model” syndication / rss / “dapper” old school firewalls issues
complexity “software is hard” Donald E. Knuth
complexity API design architecture scaling inside versus outside SOAP versus REST “put it to REST”? transport versus message security
complexity (accidental)integration on the desktop XSS/XSRF exploit of trust (user|web- site) JSON (missing) tools IDS for app servers
example xss/xsrf http://www- 1.ibm.com/support/docview.wss?uid=swg21233077&loc= %22%3Cbody%20onload=alert('OWNED')%3E%22 “<body onload=alert('OWNED‘)>” <img src = quot;http://bank.example/withdraw?account =bob&amp;amount=1000000&amp;for= malloryquot;>
data spills identity management / privacy Identity 2.0 aka “user centric identity management” (dick hard) casual versus strict privacy the case for OAuth! open social? data hygiene example: RSS-feeds
sharing with the world (private) intel profiling (ip-address?) [Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr] addresses contacts pictures whereabouts…
new… newer… newest AJAX Ruby (on Rails) / RJS / python / … lighttpd / mongrell libraries, more libraries, and even more libraries
web treaths Web 2.0 is a success, as the activities of the real world move online; the criminals follow the money, and the money is now online credit card companies are still eating the losses; but some areas are making customers more liable for losses
web treaths from highly visible media events to financially motivated threats the true financial attacks don't want to lose connectivity, so infrastructure DDoS attacks are counterindicated not just windows, now hitting Linux and Mac as well, aiming to compromise Linux servers
web treaths large rise in misconfigured, rogue DNS resolvers; estimated 300,000 compromised DNS servers Google finding 180,000 web servers serving malicious code in their crawls
wrapping-up… “old” security mechanisms not enough / counterproductive reduce complexity / decoupling old principles are still true be aware and… be what you are
h@nzz.nl www.twitter.com/hnzz hnzz.jaiku.com www.hnzz.nl 2008, © h@nzz.nl,

Empfohlen

Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Notorious 9 ciso platform moshe
Notorious 9 ciso platform moshe Notorious 9 ciso platform moshe
Notorious 9 ciso platform moshe Priyanka Aash
 
Davies Strathclyde
Davies StrathclydeDavies Strathclyde
Davies StrathclydeSheila MacNeill
 
Lor
LorLor
Lormilosh.gyuroski
 
The Future is already here
The Future is already hereThe Future is already here
The Future is already herehnzz pronk
 
The Long Tail in Education
The Long Tail in EducationThe Long Tail in Education
The Long Tail in Educationhnzz pronk
 
Media & ICT
Media & ICTMedia & ICT
Media & ICThnzz pronk
 
Web2.0: Integration issues
Web2.0: Integration issuesWeb2.0: Integration issues
Web2.0: Integration issueshnzz pronk
 

Empfohlen

Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Notorious 9 ciso platform moshe
Notorious 9 ciso platform moshe Notorious 9 ciso platform moshe
Notorious 9 ciso platform moshe Priyanka Aash
 
Davies Strathclyde
Davies StrathclydeDavies Strathclyde
Davies StrathclydeSheila MacNeill
 
Lor
LorLor
Lormilosh.gyuroski
 
The Future is already here
The Future is already hereThe Future is already here
The Future is already herehnzz pronk
 
The Long Tail in Education
The Long Tail in EducationThe Long Tail in Education
The Long Tail in Educationhnzz pronk
 
Media & ICT
Media & ICTMedia & ICT
Media & ICThnzz pronk
 
Web2.0: Integration issues
Web2.0: Integration issuesWeb2.0: Integration issues
Web2.0: Integration issueshnzz pronk
 
Is the Web at Risk?
Is the Web at Risk?Is the Web at Risk?
Is the Web at Risk?Carlos Serrao
 
What is web2.0
What is web2.0What is web2.0
What is web2.0flyingsheep
 
Ria Meets Enteprise SOA
Ria Meets Enteprise SOARia Meets Enteprise SOA
Ria Meets Enteprise SOAschennamaraja
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architectureÉric Grall
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)Francesco Collova'
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Flaskdata.io
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
agile microservices @scaibo
agile microservices @scaiboagile microservices @scaibo
agile microservices @scaiboCiro Donato Caiazzo
 
StackOverflow Architectural Overview
StackOverflow Architectural OverviewStackOverflow Architectural Overview
StackOverflow Architectural OverviewFolio3 Software
 
Internet 2.0: the future is already here
Internet 2.0: the future is already hereInternet 2.0: the future is already here
Internet 2.0: the future is already herehnzz pronk
 
ArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client TierArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client TierMicrosoft ArcReady
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Web 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes PresentationWeb 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes PresentationJamie Thingelstad
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseNinja Marketing
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overviewMarusya Maruzhenko
 
Cyber forensics in cloud computing
Cyber forensics in cloud computingCyber forensics in cloud computing
Cyber forensics in cloud computingAlexander Decker
 
11.cyber forensics in cloud computing
11.cyber forensics in cloud computing11.cyber forensics in cloud computing
11.cyber forensics in cloud computingAlexander Decker
 
The Future of IT
The Future of ITThe Future of IT
The Future of ITSimon May
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Weitere ähnliche Inhalte

Ähnlich wie Risico's Web 2.0

Ria Meets Enteprise SOA
Ria Meets Enteprise SOARia Meets Enteprise SOA
Ria Meets Enteprise SOAschennamaraja
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architectureÉric Grall
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)Francesco Collova'
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Flaskdata.io
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingClinton DSouza
 
StackOverflow Architectural Overview
StackOverflow Architectural OverviewStackOverflow Architectural Overview
StackOverflow Architectural OverviewFolio3 Software
 
Internet 2.0: the future is already here
Internet 2.0: the future is already hereInternet 2.0: the future is already here
Internet 2.0: the future is already herehnzz pronk
 
ArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client TierArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client TierMicrosoft ArcReady
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Web 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes PresentationWeb 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes PresentationJamie Thingelstad
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseNinja Marketing
 
Cyber forensics in cloud computing
Cyber forensics in cloud computingCyber forensics in cloud computing
Cyber forensics in cloud computingAlexander Decker
 
11.cyber forensics in cloud computing
11.cyber forensics in cloud computing11.cyber forensics in cloud computing
11.cyber forensics in cloud computingAlexander Decker
 
The Future of IT
The Future of ITThe Future of IT
The Future of ITSimon May
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1James Pearce
 

Ähnlich wie Risico's Web 2.0 (20)

Is the Web at Risk?
Is the Web at Risk?Is the Web at Risk?
Is the Web at Risk?
 
What is web2.0
What is web2.0What is web2.0
What is web2.0
 
Ria Meets Enteprise SOA
Ria Meets Enteprise SOARia Meets Enteprise SOA
Ria Meets Enteprise SOA
 
Little.story.it.architecture
Little.story.it.architectureLittle.story.it.architecture
Little.story.it.architecture
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
 
Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)Web of Things (wiring web objects with Node-RED)
Web of Things (wiring web objects with Node-RED)
 
Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?Will Web 2.0 applications break the cloud?
Will Web 2.0 applications break the cloud?
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
 
agile microservices @scaibo
agile microservices @scaiboagile microservices @scaibo
agile microservices @scaibo
 
StackOverflow Architectural Overview
StackOverflow Architectural OverviewStackOverflow Architectural Overview
StackOverflow Architectural Overview
 
Internet 2.0: the future is already here
Internet 2.0: the future is already hereInternet 2.0: the future is already here
Internet 2.0: the future is already here
 
ArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client TierArcReady - Architecting For The Client Tier
ArcReady - Architecting For The Client Tier
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Web 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes PresentationWeb 2.0 and LiveQuotes Presentation
Web 2.0 and LiveQuotes Presentation
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesse
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Cyber forensics in cloud computing
Cyber forensics in cloud computingCyber forensics in cloud computing
Cyber forensics in cloud computing
 
11.cyber forensics in cloud computing
11.cyber forensics in cloud computing11.cyber forensics in cloud computing
11.cyber forensics in cloud computing
 
The Future of IT
The Future of ITThe Future of IT
The Future of IT
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 

Kürzlich hochgeladen

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Risico's Web 2.0

  • 1. Risico’s Web 2.0 INTEGRATION as the problem to the answer… © hans pronk 2008 (aka h@nzz.nl)
  • 2. pre-WEB 2.0 security & integration 2
  • 3. masters of integration or the ultimate mash-up
  • 4.
  • 5.
  • 6. trends in the new 2.0 era social networks writable web AJAX deportalization end of the walled garden SaaS PaaS syndication browser as THE ui: everywhere available widgets mash-ups the rise of the platform user-centric identity user-centric
  • 7. integration & security control complexity data spills new new new
  • 8. the visionair? right or wrong? ..
  • 9.
  • 10. the new applications landscape
  • 11. complexity platforms: the new paradigm: Google | Amazon | Microsoft Live Core | Carolina | Salesforce | 37Signals | (insert favourite platform here) complexity hiding economics of scale specialization
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. control & faith sharing the ford firestone case dealing with service levels / disaster recovery dealing with popularity “The Remora Business Model” syndication / rss / “dapper” old school firewalls issues
  • 20. complexity “software is hard” Donald E. Knuth
  • 21. complexity API design architecture scaling inside versus outside SOAP versus REST “put it to REST”? transport versus message security
  • 22. complexity (accidental)integration on the desktop XSS/XSRF exploit of trust (user|web- site) JSON (missing) tools IDS for app servers
  • 23. example xss/xsrf http://www- 1.ibm.com/support/docview.wss?uid=swg21233077&loc= %22%3Cbody%20onload=alert('OWNED')%3E%22 “<body onload=alert('OWNED‘)>” <img src = quot;http://bank.example/withdraw?account =bob&amp;amount=1000000&amp;for= malloryquot;>
  • 24. data spills identity management / privacy Identity 2.0 aka “user centric identity management” (dick hard) casual versus strict privacy the case for OAuth! open social? data hygiene example: RSS-feeds
  • 25.
  • 26.
  • 27. sharing with the world (private) intel profiling (ip-address?) [Plaxo | LinkedIn | Hyves | Facebook | Qik | Trackr] addresses contacts pictures whereabouts…
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. new… newer… newest AJAX Ruby (on Rails) / RJS / python / … lighttpd / mongrell libraries, more libraries, and even more libraries
  • 33. web treaths Web 2.0 is a success, as the activities of the real world move online; the criminals follow the money, and the money is now online credit card companies are still eating the losses; but some areas are making customers more liable for losses
  • 34. web treaths from highly visible media events to financially motivated threats the true financial attacks don't want to lose connectivity, so infrastructure DDoS attacks are counterindicated not just windows, now hitting Linux and Mac as well, aiming to compromise Linux servers
  • 35. web treaths large rise in misconfigured, rogue DNS resolvers; estimated 300,000 compromised DNS servers Google finding 180,000 web servers serving malicious code in their crawls
  • 36. wrapping-up… “old” security mechanisms not enough / counterproductive reduce complexity / decoupling old principles are still true be aware and… be what you are