One of the more memorable talks at the Web 2.0 Expo was Alex Stamos of iSEC Partners.
Here it is in a nutshell: There is no browser security model. We are all screwed.
He offered a good introduction to XSS and Cross Site Request Forgery, discussed some attack examples and ended with a security analysis of the common AJAX frameworks. None came out unscathed, meaning developers need to take responsibility for security, since the frameworks are neutral in this regard.
Alex also mentioned that moving forward we will continue to see our browsers running code from a variety of locations, making security more complicated. As you might expect, according to Alex, Rich Internet Applications that integrate the desktop with the internet are a really bad idea in terms of security. Adobe demonstrated some RIAs built using their Apollo framework and they were amazing.
His slides stand pretty well alone. Get them here: Alex Stamos Web 2.0 Expo Slides
1 response so far ↓
1 5 idées reçues sur les technos Web 2.0 // Jun 24, 2007 at 7:30 am
[...] problème et celui-là majeur, la sécurité! Les modèles de sécurité des navigateurs Web sont considérés comme insuffisants et sont mis en péril par les nouvelles façon de développer. Par exemple, pour intégrer [...]
Leave a Comment