Presenter: Nathan Davis
Topic:
Reminder: The July meeting will be on the 11th! Developing Secure Web Applications
Hack your own application before someone else
does!
We will first place web application security
into the broader context of secure systems:
* What is security anyway?
* Who are the stakeholders in a secure system?
* What aspects of security are outside the control of the web application proper? We will then consider how security is a process,
not a product:
* What are some possible aspects of
a good security process?
* What types of products / services
can assist our process in the quest for secure systems? (I will not be
endorsing specific products or services.)
* What role does psychology play?
We then aim to enumerate a set of principals
which can guide our search for vulnerabilities in our applications:
* What types of questions should we
be asking ourselves as we look at code?
* What do I need to know about the
programming abstractions I use?
* How can vulnerabilities be
classified?
* What are strategies for
mitigating specific classes of vulnerabilities?
Finally, we will illustrate some specific
examples of vulnerabilities and mitigation using code examples in the ASP.NET
MVC Framework, and provide resources for further investigation. Nathan's Bio: Nathan Davis has been
developing web applications for nearly a decade. He is currently a Programmer
/ Analyst at POD, Inc., a wholly owned subsidiary of RESPEC, Inc. Nathan first
became interested in application security after seeing a SQL error in one of
his early projects and asking the question: "What just happened?"
|