Lessons Learned in Web Security

1. Lessons Learned in Web Security Shimin Yeh 12/25/2007

2. Agenda Security Lessons Learned in NCTU a dozen years ago What is Security? Top Security Issues Security in Software Development Lifecycle Partner Integration Security Security Issue Tracking and Resolution Physical Security Social Engineering Security of Personal Computer Abuse Issues Human Factor

3. Security Lessons Learned in NCTU a Dozen Years Ago Charles Pfleeger, Security in Computing, 2nd ed. Bruce Schneier, Applied Cryptography, 1st ed. Evi Nemeth et. al, UNIX System Administration Hankbook, 2nd ed. Gene Spafford et. Al., UNIX and Internet Security 2nd ed.

4. Lessons Learned in my Early Years in Software Industry Netscape web server Checkpoint firewall panacea of securiy? On-line stock trading system project in �98 Hardening server software patch - not everyone knows this. Security features and CIA Confidentiality � SSL for channel integration Integrity (and non-repudiation) � digital signature Authentication � password for login plus public key signature for authentication Minimal peer reviews Competition with JPC � non-security factors prevail. SSL = security is easier to sell.

5. What�s Security? Behaves as it supposed to do. Nothing more and nothing less.

6. Case Study Victoria�s Secret Prozac AOL MySpace � Samy is my hero Qualcomm CEO�s laptop Defacement cases in zone-h XSS cases in xssed.com Eletronic voting systems in California

7. What does that mean? Brand damage: Trust is hard to gain but easy to lose. Intenet companies live or die by their reputation.

8. Top Security Issues Input Validation Issue Buffer overflow SQL injection XSS Misconfiguration Third Party Software