HTML5 Security
0 likes744 views
The document discusses security best practices for web applications. It recommends understanding threats like XSS and SQL injection, sanitizing user input, testing code regularly for vulnerabilities, staying up to date on security issues, and using frameworks and secure protocols. It also stresses understanding users and educating them on security basics. Overall, the key message is that developers need to prioritize security, trust no one (including users and tools), and constantly work to protect applications and users.
HTML5 Security
- 1. <!doctype html> SECURITY beyond the attack vectors Ville Säävuori · · OWASP Helsinki · 15.6.2011
- 2. I AM NOT A SECURITY EXPERT (But a Web Developer :)
- 4. html
- 5. • API Metering • Distributed Log storage, analysis • Backups & Snapshots • Graphing • Counters • HTTP Caching • Cloud/Cluster Management Tools • Input/Output Filtering • Instrumentation/Monitoring • Memory Caching • Failover • Non-relational Key Stores • Node addition/removal and hashing • Rate Limiting • Auto-scaling for cloud resources • Relational Storage • CSRF/XSS Protection • Queues • Data Retention/Archival • Rate Limiting • Deployment Tools • Real-time messaging (XMPP) • Multiple Devs, Staging, Prod • Search • Data model upgrades • Ranging • Rolling deployments • Geo • Multiple versions (selective beta) • Sharding • Bucket Testing • Smart Caching • Rollbacks • Dirty-table management • CDN Management • Distributed File Storage http://randomfoo.net/2009/01/28/infrastructure-for-modern-web-sites
- 10. what is it?
- 11. Markup like Guido intended it.
- 12. Markup like Guido Tim intended it.
- 14. security
- 15. <header> <audio> <video> <canvas> <footer>
- 16. <audio>
- 18. <input type='email' required pattern='.*@syneus.fi'>
- 19. HTTP/1.1 200 OK Date: Wed, 15 Jun 2011 17:45:00 GMT Server: Nginx/1.0.4 Access-Control-Allow-Origin: http://syneus.fi
- 20. local storage localStorage.setItem('name', 'Hello World!');
- 21. Web Forms 2.0
- 22. SVG
- 23. CSS3 div > p:last-of-type { ... }
- 26. in the wild http://www.flickr.com/photos/sharkbait/2992242065/
- 27. common issues http://www.flickr.com/photos/rainbirder/5068808204/
- 30. SQL Injection http://www.flickr.com/photos/rainbirder/5068808204/
- 31. Clickjacking http://www.flickr.com/photos/rainbirder/5068808204/
- 32. ways to protect http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 33. understand threats http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 34. understand threats no, really. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 35. sanitation http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 36. test your code http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 37. test your code regularly. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 38. test your code often. http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 39. stay updated http://www.flickr.com/photos/soldiersmediacenter/5285447846/
- 40. The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.” — Sacramento Credit Union
- 42. Best practices http://www.flickr.com/photos/amagill/51806161/
- 43. trust no one http://www.flickr.com/photos/furryscalyman/673915993/
- 44. use good tools Let frameworks help you.
- 45. but don’t trust them blindly Again. Understand what you’re doing.
- 46. use secure protocols HTTPS over HTTP
- 47. outsource or hire someone but at least use a checklist
- 48. understand your users Mere mortals don’t behave like nerds.
- 49. educate them Why is it important to have a good password?
- 50. MORE html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5
- 51. Kiitos! Ville Säävuori @uninen
- 52. MORE html5sec.org lyh.fi/web_security www.syneus.fi/aiheet/html5