Abstract
A decade ago, we began doing business over the web. Browsers and web servers became the building blocks of services and applications on the Internet. Web application security was a major concern in 2000, but little progress has been made to fix the problems. In 2009, the underground cyber economy grew in leaps and bounds. Spam has become a lucrative business. Writing exploits fetches real money. Large scale breaches of customer data are on the rise. You can purchase pay-per-hour distributed denial of service attacks. The effectiveness of antivirus software has fallen well below acceptable levels. Today, it is impossible for an average user to “survive the web” without falling prey to scams or malware.
This talk explores how well known vulnerabilities and bugs play a key part in creating the attack patterns of tomorrow – the objectives, motives and how all the pieces of the puzzle fit together.
We need to take another look at the fundamental building blocks that deliver our web applications. Are browsers and protocols capable of delivering secure web applications? Standards have evolved, but without a focus on application security. In our quest for a slicker Web 2.0, have we compromised on fundamental security principles? Although there is no clear solution in sight, it is time that we start asking for what is really needed.