100 likes | 226 Views
Ēriks Dobelis, RTU RBS, BITI, eriks . dobelis @ biti . lv. Current web security challenges in Latvia. Contents. Identity theft Code quality Single layer of control Lack of monitoring Decreasing importance of perimeter Impact of consumerisation and device specialization
E N D
Ēriks Dobelis, RTU RBS, BITI, eriks . dobelis @ biti . lv Current web security challenges in Latvia
Contents • Identity theft • Code quality • Single layer of control • Lack of monitoring • Decreasing importance of perimeter • Impact of consumerisation and device specialization • Other long term trends
Identity theft • Most popular authentication methods: • User/password • Code card • Code calculator • MobileID • Internetbank as authentication provider
Identity theft (cont.) • Risks • Insecure storage (esp. password, code card) • Phishing • Solutions • More secure authentication methods • User education
Code quality • Secure code development not part of typical curriculum • A lot of vulnerable code • Solutions • Training and education • Penetration testing • Architecture
Single layer of control • Most web applications put 100% of security controls in code • Mistake by one developer may lead to huge impact • Solutions • Application level security proxy • Usage of frameworks
Lack of monitoring • Most organizations cannot afford dedicated security professionals • Most IDS systems fail to identify large sets of attacks • Solutions • Application level security proxy • Regular log analysis
Decreasing role of perimeter • False sense of security from firewall • Increasing number of business partners • Increased use of hosted applications • Solutions • Access control centralization • Security policy
Impact of consumerisation and device specialization • Consumers using increasing range of devices to connect to web applications • Impossible to restrict browser versions and platforms • Browser vulnerabilities • Solutions • Platform independent standards based development
Other long term trends • HTML5 new funcionality • WebSockets • Offline applications • Local data storage and access to files • Concurrency • Move to cloud • Increasing power of large vendors