Current web security challenges in Latvia

Ēriks Dobelis, RTU RBS, BITI, eriks . dobelis @ biti . lv

Contents

Identity theft Code quality Single layer of control Lack of monitoring Decreasing importance of perimeter Impact of consumerisation and

device specialization Other long term trends

Identity theft

Most popular authentication methods: User/password Code card Code calculator MobileID Internetbank as authentication provider

Identity theft (cont.)

Risks Insecure storage (esp. password, code

card) Phishing

Solutions More secure authentication methods User education

Code quality

Secure code development not part of typical curriculum

A lot of vulnerable code Solutions

Training and education Penetration testing Architecture

Single layer of control

Most web applications put 100% of security controls in code

Mistake by one developer may lead to huge impact

Solutions Application level security proxy Usage of frameworks

Lack of monitoring

Most organizations cannot afford dedicated security professionals

Most IDS systems fail to identify large sets of attacks

Solutions Application level security proxy Regular log analysis

Decreasing role of perimeter

False sense of security from firewall Increasing number of business

partners Increased use of hosted applications Solutions

Access control centralization Security policy

Impact of consumerisation and device specialization

Consumers using increasing range of devices to connect to web applications

Impossible to restrict browser versions and platforms

Browser vulnerabilities Solutions

Platform independent standards based development

Other long term trends

HTML5 new funcionality WebSockets Offline applications Local data storage and access to files Concurrency

Move to cloud Increasing power of large vendors