Merken

The State of Web Security

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
thank you and that you could do that and and so like I'm the CTO over at a new wonder welcome everyone to Kansas City hope everyone's having a good time it's the 3rd day in the conference so I'm going to try to keep references to were not in Kansas anymore in the Wizard of Odds to a minimum you probably heard them all rose can't there's always been uh uh a good place for us it in you know it's actually if you remember us here last year we had a booth in the Expo hall we actually launched our company arrest response so our 1st supported platform in a product is rails and and you know we love you guys so thanks a lot speaking of launches um I wanna sort of diverted the start here in say did anyone stay up late last nite and watch the wrong
Laura theory sex guys let's give a round of applause those possible effectively harvested the language in the 1 on teamwork collaboration closeness the the how many of
you guys did any of these things how many did all of these things I think I did run into the southern laryngeal because we are on a kind of result hero minus presentation I spent EUR I spent time with other securities which trying done in like 7 2 6 hours for the as found in the and how can like yourself alike have like and you have to be a 7 there like water coming over speakers summary that may involve me are the reason is workshops and you can find out that we have used a gets his point was if you know what I think is is that of my talk was inducted or break How would you like those API OK I have a really highlights cell can everyone years when you when I'm talking to this talk over there is the size of your awareness of you prove weighted sum of the energy of the best practices and 190 is 1 with a year-long running through a not so I would you who have interesting OK and the guys did this all of you probably haven't you got is maybe Addison web banking in there maybe you arrange date for the weekend I maybe some of you right now with laptop structures are like managing your company's network or touching your production servers all this is happening online through web sites you guys right websites other people wrote their writing these websites the this is all
happening on the web this is you know everyone knows 10 years ago 20 years ago it's just getting more and more stuff online government data sensitive data your date profile Ashley Madison everything's online these days and the other people who were online our people like this and of
course this is exactly what they look like it or this 1 you probably see
and how do we protect ourselves against people like these what we go on the internet and we downloaded padlock images and stick them on the screen you guys all see right later site more secure maybe another 1 green 1 in their shield and you
don't stop so hopefully all of you guys are doing this and all of these other websites that your visiting and you're trusting to store your data are also doing you know these fancy techniques the a and that kind of brings up the question who is actually protecting all my data on the Internet probably some of you guys are managing sites that are holding my data certainly the other developers who were developing sites because fundamentally over the past 20 years saying it's become easier and easier to make a website we're all here this week because we love rails that workshop that we were listening in on their learning how to make web site it's really easy rails makes it easy other frameworks make it easy but this still a question who's actually protecting I data who is protecting data is that people in this
room probably should be everyone and i these people doing some of these things checking out a framework defaults making sure things are up to date maybe getting there cold reviewed for security pen tests that sort of thing looking for new the vulnerabilities hopefully you're doing maybe some of these things maybe you should be doing all of the all are maybe you're lucky and you've got pair roots livers so as the last 1 I promise
because securities hard all those things are listed a hard it takes a lot of time it takes a lot of work you guys are generally a focusing on making your site work making it do cool things building features for your customers security everyone wants to be secure but it's a hard thing to do well it's difficult the but it can also really really interesting and I hope some of you are here today to get and some of the interesting parts the so really I'm focusing today on 3 things 3 types of honorable code that might be in your applications that you've written or that you're going to write this code that you write your application itself the view logic that sort of thing the controllers that the actual act as a code that you've written in your responsible for is also code written by other people use the Rails framework rails runs on Ruby you probably run a ton of third-party gems to add various functionality to your to you or at other people's code that your now sort of responsible for their security posture and then code is not written at all so maybe you should have written some additional functionality to protect you against attackers but again we don't always have time so this code not written is also a gap in your apps condescend a little bit like the ghost of Christmas past the Ghost of Christmas Yet to Come but whatever so let's look at an attack type that probably everyone's familiar with I hope in recent you've heard of it SQL injection this is a very simple example of here you've got an SQL query and you're building it by adding some strings together and putting in some user input there the a man the user comes along 1 of those shadowy hacker guys with the masks says I never said my username to the this in red it's red because it from a hacker of course single-quote or 1 equals 1 so if you're not familiar with SQL injection you might look at that and say OK what is at 2 but what happens is when your query gets put together it modifies the intent of your query instead of a where clause with 1 parameter name equals using it has 2 conditions namely equals whatever or 1 equals 1 and I don't know you experts on math but 1 equals 1 is always true so that's always get return true so instead of giving you back 1 record that matches your username it's not going to give back every record in a database and this is the sort type of thing that introduces and allows these massive data breaches that you probably read about on the news where those millions of credentials floating around on the internet some of them might be or some them might be mine the now SQL was 1st sort of discussed publicly in nineteen ninety eight it's really well understood this is not a new attack vector it's not in advanced tech attack vector so pretty much this is fixed in every AP on the internet right this question obviously
not last year talk talk a big UK ISP your mobile carrier 157 thousand of its customers have the details stolen they figured it after the breach and all the uh handling of it that they've lost around 100 thousand customers and about 60 million pounds probable that that 100 million dollars US because this breach SQL injection not advanced anything just that SQL injection that was 1st talked about almost 2 decades ago OK but they're an exception right rights
V. exact anyone with kids this one's kind of scary the tech makes these little kid laptops for children and the children you login they got their name they can put in their birth date and they got breached tech and they lost details on 200 thousand children along with almost 5 million of the parents with home addresses passwords females names acceptance SQL injection 2 decade-old vulnerability the and this 1 could be more fun whether spoons
part in the UK they act and this 1 was in awful they only last you know around 650 thousand customer details it was only phone numbers dates of birth and e-mail addresses so you know no damage there Owen beer vultures that's the 1 that really hurts me because these now shadowy hacker a drinking free beer whether this so maybe they deserve it I don't know so this age-old attack almost 2 decades old should be well solved the thinking probably well I'm a rails their vise don't write SQL statements like that I use Active Record takes care of a lot of this for me as well after the talk
go take a look at this website here if you haven't seen it before rails SQL i . org driven by actually Justin Collins who's speaking rate after me so around here his talk you would be shocked so I think at some of the things that In Active Record look like they should be very safe a function that takes the single parameter the column name or something like that in case of talk and but instead of actually internally really just kind of build up the string so you can do again lots of arbitrary type attacks like SQL injection so it's still thing after 20 years the this is called that you're writing and what codes that other people writing so this is a vulnerability that was announced at the start of this year city 2016 widgets 20 and there I think for a rails vulnerabilities announced on the same day with was sort of a collection of things and this is credited to John from envision a company that does run rails consulting security that really really good guys is also a blog where he describes this in depth of linked on the bottom there and basically just showing you the highlights of his blog post but it was reported as a possible information leak vulnerability in grams and it really and it's an issue if you
have a something like this in your the random function in the rendering at while anything where it's coming from a user-supplied input so the idea here is that render prams 10 plates so that I can have different temp lates for in this case by users maybe this is the dashboard template were looking at the bottom C-type slash dashboard and get the dashboard template if you do slash details you get the details templates of save you some time right so if you look at the rendered documentation but it's not super clear what that 1st parameter if this is a just the name of the template that then is looked up in my With along with all my other templates or is it a path to the template file within my or as will learn could it be an absolute path to my
file system the course I'm talking about it because it's this 1 so yeah that same
view you add the in % encoded by anti password which is you know the database on my unix systems that stores all my user details and so dumb that's all the content in the OK so maybe an exception what about something more
rail specific what can you do with that sort of secret down there for session initialization you can do a lot of stuff you can basically forge any session here in Ruby because you can sign your own cookies so basically through this vulnerability we can read any file on the file system that your web server would normally have access to they call it information disclosure arbitrary file disclosure sometimes directory traversal where were sort of using these dot-dot-slash or absolute paths to get into things and yet you can read any file on the
system as SSL private keys probably something you don't wanna lose let us we have here secret tokens secret study animal uh these things on the bottom not everyone's as sometimes you put sensitive data interact through environment variables so you don't need a file on a file system data as well if you can read these Proc Phocis and you can actually read those environment variables just like a file so you're not really safe no matter how you do it if you got the small ability you're in trouble yeah what
is so bad it's really bad this vulnerability if you happen to have code like that in your and I just a quick search on get have f or render grams give it a try sometime there's something like 50 thousand matches it's not a rare occurrence this thing the stuff happens but it gets worse in so there was another vulnerability in 2014 another the 0 1 3 0 and just John Locke I think this is an implementation of from Madison 0 he wrote up an article cut dug into this and as a similar concepts basically there is a way that you could convince rails to load an arbitrary file on the file system he said well can I take this further instead of just reading a file can actually execute arbitrary code the of course can and it really comes down to a helpful defaults behavior rails where you can basically if you load any files render and it doesn't recognize the extension it defaults to treating it as an ERP template so in the example before when we're you know exit password well we did receives was actually rendering that hasn't yet the template because it didn't know the extension so far and password is not a big deal there's no ERB code in then but if we can put the every code into a file like something simple like that and just using the back take operators which executes shell commands we can get that into a file on the computer and then get rails to read from it then we can execute any arbitrary shell commands on the server that we want who am I tells us the current user but you can imagine we could put far worse things than in red the course again a dread because it's from 1 of the shadow hackers the so the basics is we write code into a file and then we ask rails to execute for us so how do we do that how do we get a code into a file in rails well thankfully that's built during house because every request is logged to your log file faction along and I don't know if you guys have looked into but by default it's showing all your query primitives so great my code 1 2 3 4 we could change that to something a bit more sneaky % encode there's idea the data that we wanna get file make a request in it costed dutifully gets written to production of log so now if we put this exploit together the 1st half the new vulnerabilities plus this half the old exploit from 2014 we have the same idea we have a single request defeat in arbitrary shellcode send it to a multiple-server Nx kids yeah so again that's a vulnerability um what does that let an attacker do so this is something that's kind of a bit new Over the past maybe year year and half it used to be all this stuff if you could get files from a file system you're trying to steal data personal information if you could execute arbitrary called maybe trying to steal data as well or use the server to launch further attacks elsewhere or to further explore your infrastructure but something new that started to come out is this idea of site
ransomware they probably heard of ransomware the normal cone this is software that infects your computer and in the background it goes around looks at all your files instead of deleting them like maybe malware used to do in the In the old days it includes the files with a special key it's kid you don't have so now when you go on to your computer and try to use it you can access any files and it pops up a helpful message that says you know pay us 100 dollars in be calling or something and all descriptor files for and is really effective because the price is generally pretty low and people want the fast max of the pay so what started happening and of 2015 last year is the technique started to evolve to websites so primarily in WordPress type scenarios where you know it's the wild west in terms of security but it's also affecting other apps as well yeah the ransomware excuse me that gets in execute arbitrary code download a payload that creates all the files on your website maybe even the data in your database and when you or your customers for your site you get something kind a like this this is if you want your website back pays the ransom and like before generally people wanna pay this is actually affecting hospitals uh in other types of server malware uh you know it's a big deal so just be aware that this isn't just people coming in and stealing data from servers like it's not just your customers there's is also potentially your revenue your life your website and then the other type of attacking
in talk about it is something called credential stuffing or that what some people call it and it's similar the basically ideas some other psych attacked maybe through some technique we just talked a boat or some other breach and the attackers steals a massive list of usernames and passwords now chances are but I think there was a study that said it's around 50 % of of user accounts Our using shared passwords so the password on your site might be the same as the password and the don't the that hacker just downloaded tha and they wanna know which ones match your site so what they're going to do is they're going to take that big down maybe it's a million maybe it's a hundred thousand using passwords and they going to write a script that will go to your web site and try to log in with those details ends when they find them they know those accounts are backed active vulnerable in your site and if they fail just as the in that is moved to the next 1 then the so I was like talking about this case these it's a bit interesting in terms of blame whose whose fault is it some other website get hacked you might not be vulnerable it all to you know these SQL injections over arbitrary code execution it was somebody else they got hacked their website that breach those of their user accounts that have been done the and it's kind of the faults of the users may be like maybe they should be reusing passwords kind of their fault they didn't choose strong acid maybe that 1 2 through 5 6 of them but fundamentally the at the your uses the ones who these attackers are breaking into these are your user accounts so it's kind of also you guys to protect your users as you're developing sites how do you protect and this isn't just a small problem it's not just common passes like this is these are the massive breaches of millions and millions of leaks that's actually 1 just a few days ago I really just pasted this for the headline here
this is a site that would actually help you find out if you were in 1 of these dumps and then they got act and now I'll this consolidated list of what they say 866 million user credentials so this site is how fully consolidated and organize them for whoever got them so just be aware that this is not a problem that being solved a going away was was it to 3 days ago there is now a new who did I have almost 900 million usernames and passwords of things that might be coming to your site any day the and OK maybe there's a bunch of password from this list that match users on your sites and I you know is it your problem or is it the user's problem and maybe you could justify saying well we don't really mind if our user accounts could breach a little bit does not maybe a lot of sensitive data there or you know those users an admin so maybe it's not that big a deal so I want to talk to through 1 use case are 1 attacker use case I should say where attackers are using these types of account takeover attacks to directly monetize the result the something called warranty
from In this happen to fit a lot in 2015 the basic idea was that use these techniques the hackers they got a bunch of accounts and the 1st thing they did when they found an account that worked as they went in the change the e-mail the change the phone number they change the address to a point that the attacker the and then they call outfit and said my sip it broke can descend into 1 and that it wants to keep their customers happy so they send out the Fitbit before they received the broken 1 so now the hackers are getting all these tickets they turn around some for half price a cheap on ebay or something and they've now turn your vulnerable accounts into the cash for them which means the highly motivated to do this so this is always a way to monetize and things
so how do you protect a sentences attacks educating developers that's probably why you're all here today you're learning what security learning more this great resources are there the or last top 10 is sort of a quick intro to a lot of stuff at the top 10 vulnerabilities that cause most of these breaches and it kind of helps people stay date they can see that the update the list every year for most years so new attack types will bubble up as they become more prevalent and you can focus on learning more about them the static analysis actually the same guy Justin Collins writes brakeman break and prose it will scan your Ruby out and tell you if you've got vulnerabilities at attacks a lot I talk to uh right now and also detects the 1 from 2014 so use these tools to scan your code to try to stop these things before they get released and I mentioned earlier the manual code review or maybe pen-testing get other people to try to break your code it's a good way to to get a 2nd opinion to understand maybe things that you don't know about that someone else does the the big thing I don't like about this list is it's the same I would be sending notes 10 years ago if I give this talk nothing's really changed here does not no new defensive techniques that are helping people these days so this is still good you should still do all these things and they help you produce a secure AP but then want to deploy it you kind of protected against stuff happening in real time or against new threats that may be this a few tools that already exist for this kind of active sense there's a thing
called a web application firewall you may have heard of it it's kind of became very popular when it became sort of a mandatory requirement for PCI compliance for handling credit cards but basically it's a box that sits in front of your app and you can kind of see so it's really small that you go through every single URL in your app in you tell it all the parameters that you expect to see you tell a you know whether mandatory or not how long they should be what a characters you should expect and you can kind of get from this that it's the tied to configure and the problem the big problem is a true user bypassed because this is a box sitting in your network in front of your is really know what's going on just applying these rules or signatures and the actual books about how to bypass web application firewalls so doesn't give us a lot of additional security there's
also kind of a problem with how the deployed really so you got your apps down their own servers you've got you know the internet cloud classical is that the yellow line bad stuff being rejected you get your web application firewall protecting your and that's all great if you're deployment looks like this but more more these days are deployments look a bit more like this
it's the app is the thing that you deploy so the infrastructure around it so much anymore you write your act you push it roku maybe doctor if you're rolling something year old and you want security to go with the act and that's where we kind of get into 1 of the defenses and talk about today is this
concept of grasp never been a big fan of the acronym but it stands for a runtime application self-protection the idea that it's part of your app that gives your application the ability to protect itself in real time and this kind of shift the story of it inside the application of so the gonna get a bit more visibility on what's going on so if we go back to
our attack there the what was the actual exploit the happened in that see the vulnerability of the vulnerability was that we could convince rails to load and arbitrary files but the actual exploitation malicious intent what they're doing is they're trying to read files that are normally read I will try and execute shell commands that are normally executed so can we how kinda that instead try to stop that move that logic inside the act and you can see these things happening directly were not sitting outside the box trying to guess what might happen when it hits the the here's some examples what you can do I mean the you should be reading anything from a two-pass really should only be writing to viral organ and tempered should be writing some arbitrary place on your file system your app should not be reading SSH private keys shellcode execution most apps don't actually need to execute system commands for if they do it's usually in just a few spots like maybe you need to compile some CSS when at 1st access or maybe you need to shallow to the command line to generate a PDF invoice or something like that but generally you're not executing shell commands you're definitely not downloading perl scripts from Russian IP addresses and executing them like you should not be doing that in your app right so can we detect these things happening and stop that so instead of tracing all the individual and trying to chase the vulnerabilities as the announced stop the malicious behavior same idea applies to those
other tactics SQL injection we see the whole SQL queries can we stop that at the source so instead of trying to guess at the bad input look at the full query before gets into the database stop the Saber templates it will rendering the template to we look for cross-site scripting then authentication failed logins inside the app we get visibility of all stuff it is well the application it knows itself right knows which lines of code running these things it knows which lines of code running SQL statements and if you get an SQL statement that looks abnormal it knows where that came from in your code so it can work with the development team a lot more closely and help them understand where these probabilities coming from this is sort
of the general idea the power rests work this is not all work like that but that's the idea that you've got your app in blue and then you add the secure logic and it gets a chance to hokey and all the various parts of your application so it can protect against header based stuff it can protect against SQL queries that can protect against authentication failures and what that lets us do it is if we take our old example of the SQL
injection and we look at some possible inputs the first one is a good grade most the queries from that line code will look like that so we can learn that structure your where cli should have 1 condition and then when the bad input comes in and of a sudden that line of code is executed the query that has 2 conditions in the where clause flight as attack the course we know it's an attack because it's red and the other one's pre by she had somebody tell me what is to stop the red ones and all this logic but that's the idea and same for things like
the authentication instead of just blocking failed login attempts and allowing successful ones we can start to look at the rate of failed logins most of your users if they forget the password so like me maybe they might have to try you know 4 5 times before they get it right but they should be trying hundred times and they cross these thresholds you should take action to stop them you can do something like automatically server
capture or just blocker whatever you like
so back to these 3 types of vulnerabilities talk to a few examples these were all like this provides tools for you to address some of these issues because everybody's writing code were all using external code and nobody has time to write all the code that possibly they should be writing if you can
land a rocket on a barge in the middle of the Atlantic Ocean surely we can make use you to make websites more secure and that you're sh
fj you think you that the good and the so
Extrempunkt
Informationsmanager
Endogene Variable
Computersicherheit
Sprachsynthese
Aggregatzustand
Biprodukt
Systemplattform
Brennen <Datenverarbeitung>
Quick-Sort
Computeranimation
Resultante
Web Site
Punkt
Wasserdampftafel
Formale Sprache
PASS <Programm>
Abgeschlossene Menge
Zellularer Automat
Programmschema
Unrundheit
Kombinatorische Gruppentheorie
Twitter <Softwareplattform>
Physikalische Theorie
Computeranimation
Benutzerbeteiligung
Datenstruktur
Datennetz
Computersicherheit
Gewichtung
Biprodukt
Kontextbezogenes System
Energiedichte
Kollaboration <Informatik>
Rechter Winkel
Server
Lesen <Datenverarbeitung>
Facebook
Web Site
Benutzerbeteiligung
Sensitivitätsanalyse
Electronic Government
Profil <Aerodynamik>
Bildgebendes Verfahren
Computeranimation
Touchscreen
Internetworking
Web Site
Softwareentwickler
Framework <Informatik>
Internetworking
Web Site
Bit
Mathematisierung
NP-hartes Problem
Kartesische Koordinaten
Mathematische Logik
Analysis
Code
Framework <Informatik>
Computeranimation
Internetworking
Datensatz
Code
Datentyp
Endogene Variable
Computersicherheit
Wurzel <Mathematik>
Hacker
Default
Metropolitan area network
Softwaretest
Expertensystem
App <Programm>
Lineares Funktional
Parametersystem
Datentyp
Sichtenkonzept
Computersicherheit
Datenhaltung
Default
Gebäude <Mathematik>
Ruhmasse
Abfrage
Vektorraum
Ein-Ausgabe
Quick-Sort
Verdeckungsrechnung
Injektivität
Framework <Informatik>
Softwareschwachstelle
Konditionszahl
Mereologie
Injektivität
Gamecontroller
Zeichenkette
Freier Ladungsträger
Adressraum
Besprechung/Interview
Ausnahmebehandlung
Service provider
Computeranimation
Teilmenge
Rechter Winkel
Softwareschwachstelle
Notebook-Computer
Adressraum
Injektivität
Vererbungshierarchie
Passwort
Passwort
Web Site
Freeware
Web log
Adressraum
Besprechung/Interview
Zahlenbereich
Schreiben <Datenverarbeitung>
Information
Computeranimation
Leck
Datensatz
Widget
Datentyp
Minimum
Softwareschwachstelle
Hacker
E-Mail
Leck
Lineares Funktional
Parametersystem
Befehl <Informatik>
Computersicherheit
Bitrate
Quick-Sort
Datensatz
Softwareschwachstelle
Mereologie
Injektivität
Codierung
Information
Zeichenkette
Parametersystem
Lineares Funktional
Verzeichnisdienst
Rendering
Template
Volumenvisualisierung
Volumenvisualisierung
Dateiverwaltung
Elektronische Publikation
Ein-Ausgabe
Computeranimation
Umwandlungsenthalpie
Offene Menge
Sichtenkonzept
Datenhaltung
Mathematisierung
Ausnahmebehandlung
Physikalisches System
Elektronische Publikation
Quick-Sort
Computeranimation
Homepage
Datenhaltung
Benutzerbeteiligung
Einheit <Mathematik>
Softwareschwachstelle
Polygonzug
Server
Cookie <Internet>
Dateiverwaltung
Passwort
Information
Inhalt <Mathematik>
Speicher <Informatik>
Verzeichnisdienst
Public-Key-Kryptosystem
Web Site
Bit
Sensitivitätsanalyse
Nabel <Mathematik>
Interaktives Fernsehen
Implementierung
Maßerweiterung
Computer
Ähnlichkeitsgeometrie
Template
Code
Computeranimation
Homepage
Variable
Verzeichnisdienst
Code
Minimum
Volumenvisualisierung
Abschattung
Dateiverwaltung
Passwort
Primitive <Informatik>
Maßerweiterung
Default
Schnitt <Graphentheorie>
Hilfesystem
Beobachtungsstudie
Nichtlinearer Operator
Elektronische Publikation
Schlüsselverwaltung
Matching <Graphentheorie>
Datenlogger
Template
Default
Abfrage
Einfache Genauigkeit
Token-Ring
Physikalisches System
Elektronische Publikation
System F
Token-Ring
Softwareschwachstelle
Server
Hill-Differentialgleichung
Information
Decodierung
Programmierumgebung
Web Site
Bit
Extrempunkt
Atomarität <Informatik>
Term
Code
Computeranimation
Eins
Leck
Software
Datentyp
Skript <Programm>
Passwort
Passwort
Hacker
Drucksondierung
Beobachtungsstudie
App <Programm>
Videospiel
Computersicherheit
Datenhaltung
Wurm <Informatik>
Ruhmasse
Web Site
Mailing-Liste
Malware
Elektronische Publikation
Injektivität
Server
Gotcha <Informatik>
Schlüsselverwaltung
Message-Passing
Resultante
Sensitivitätsanalyse
Bit
Web Site
Punkt
Mathematisierung
Adressraum
Zahlenbereich
NP-hartes Problem
E-Mail
Computeranimation
Mailing-Liste
Datennetz
Adressraum
Datentyp
Computersicherheit
Passwort
Passwort
Hacker
E-Mail
Systemverwaltung
Mailing-Liste
Web Site
SISP
Software
Kategorie <Mathematik>
Speicherabzug
Hydrostatik
Proxy Server
Quader
Firewall
Web-Applikation
Code
Analysis
Elektronische Unterschrift
Proxy Server
Code
Datentyp
Kontrollstruktur
Softwareentwickler
Analysis
App <Programm>
Addition
Parametersystem
Softwareentwickler
Datennetz
Computersicherheit
Mailing-Liste
Schlussregel
Elektronische Unterschrift
Quick-Sort
Chipkarte
Echtzeitsystem
Softwareschwachstelle
URL
App <Programm>
Bit
Firewall
Computersicherheit
Web-Applikation
Server
Gerade
Streuungsdiagramm
Computeranimation
Internetworking
Public-Key-Kryptosystem
Bit
Dongle
Nabel <Mathematik>
Quader
Selbst organisierendes System
App <Programm>
Weg <Topologie>
Inverse
Kartesische Koordinaten
Mathematische Logik
Netzadresse
Computeranimation
Spezialrechner
Fächer <Mathematik>
Code
Dateiverwaltung
Skript <Programm>
Skript <Programm>
Cross-site scripting
Verschiebungsoperator
App <Programm>
Reverse Engineering
Rechenzeit
Konfigurationsraum
Rechenzeit
Dichte <Stochastik>
Physikalisches System
Exploit
Elektronische Publikation
Nabel <Mathematik>
Echtzeitsystem
Softwareschwachstelle
Mereologie
p-Block
Retrievalsprache
Server
Explosion <Stochastik>
Kartesische Koordinaten
Login
Mathematische Logik
Code
Template
Computeranimation
Cross-site scripting
Authentifikation
Code
Softwareentwickler
E-Mail
Gerade
Leistung <Physik>
App <Programm>
Befehl <Informatik>
Template
Datenhaltung
Globale Optimierung
Abfrage
Web Site
Quellcode
Ein-Ausgabe
Quick-Sort
Coprozessor
Schlussregel
Injektivität
Verschlingung
Ein-Ausgabe
Injektivität
Mereologie
Authentifikation
Interpolation
Versionsverwaltung
Dongle
Gruppenoperation
Mathematische Logik
Login
Code
Computeranimation
Spezifisches Volumen
Gradient
Eins
PROM
Leitungscodierung
Zählen
Schwellwertverfahren
Passwort
Datenstruktur
Ereignishorizont
Gerade
CLI
Schwellwertverfahren
Abfrage
Ein-Ausgabe
Bitrate
Gruppenoperation
Injektivität
Konditionszahl
Injektivität
Server
Authentifikation
Bitrate
Roboter
Motion Capturing
Datentyp
Sondierung
Softwareschwachstelle
Code
Datentyp
Vorzeichen <Mathematik>
Code
Computeranimation
Videokonferenz
Web Site
Besprechung/Interview
Computeranimation

Metadaten

Formale Metadaten

Titel The State of Web Security
Serientitel RailsConf 2016
Teil 31
Anzahl der Teile 89
Autor Milner, Mike
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/31569
Herausgeber Confreaks, LLC
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Join me for a wild ride through the dizzying highs and terrifying lows of web security in 2015. Take a look at some major breaches of the year, from Top Secret clearances, to medical records, all the way to free beer. We’ll look at how attack trends have changed over the past year and new ways websites are being compromised. We’ve pulled together data from all the sites we protect to show you insights on types and patterns of attacks, and sophistication and origin of the attackers. After the bad, we’ll look at the good - new technologies like U2F and RASP that are helping secure the web.

Ähnliche Filme

Loading...