One of the more memorable talks at the Web 2.0 Expo was Alex Stamos of iSEC Partners.
Here it is in a nutshell: There is no browser security model. We are all screwed.
He offered a good introduction to XSS and Cross Site Request Forgery, discussed some attack examples and ended with a security analysis of the common AJAX frameworks. None came out unscathed, meaning developers need to take responsibility for security, since the frameworks are neutral in this regard.
Alex also mentioned that moving forward we will continue to see our browsers running code from a variety of locations, making security more complicated. As you might expect, according to Alex, Rich Internet Applications that integrate the desktop with the internet are a really bad idea in terms of security. Adobe demonstrated some RIAs built using their Apollo framework and they were amazing.
His slides stand pretty well alone. Get them here: Alex Stamos Web 2.0 Expo Slides
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment