Web Applications

Security Seminar

David EvansUniversity of Virginia28 August 2007

2http://www.cs.virginia.edu/evans/wass

Welcome!

• Brief Seminar Intro• Sign Up Sheets

3http://www.cs.virginia.edu/evans/wass

Do Web Applications Change Security?

4http://www.cs.virginia.edu/evans/wass

No perimeters

HTTP = UFBP

5http://www.cs.virginia.edu/evans/wass

Dynamic

Rapidly Changing

Distributed State

6http://www.cs.virginia.edu/evans/wass

Composedcontent

Complextrust models

Personal Information

7http://www.cs.virginia.edu/evans/wass

(This is a hoax)

Real money from virtual actions

Competition, fraud, incentives

8http://www.cs.virginia.edu/evans/wass

Some things don’t change?• Most Classic Security Principles Still Apply

(but get much harder...)– Economy of Mechanism– Fail-safe Defaults– Complete Mediation– Open Design– Least Privilege– Psychological Acceptability– Least Common Mechanism– Separation of Privilege

Saltzer & Schroeder, The Protection of Information in Computer Systems, 1973

9http://www.cs.virginia.edu/evans/wass

Seminar Expectations• You already know something about

security– Basic understanding of cryptography (e.g.,

public key crypto, SSL)– System and software security

• Minimal web application knowledge expected– Java, AJAX, JavaScript, PHP, Python, Ruby

10http://www.cs.virginia.edu/evans/wass

Seminar Meetings

• Tuesdays and Thursday, 11am-12:15• One student (with help from an

assistant) will lead a presentation on a topic

• All students will read focus paper(s)

11http://www.cs.virginia.edu/evans/wass

Leading a Topic• Topic leader and assistant• Focus paper (sometimes two)• Background and context papers, other

sources, “hands-on” experience • Meet with me at least a week before

your scheduled presentation– Office Hours: Mondays 10:30am,

Tuesdays 12:15pm (or email to schedule other time)

12http://www.cs.virginia.edu/evans/wass

Pre-Presentation Meeting

• Plan for your presentation– What is the main story you want to tell?– What technical nuggets are worth

explaining?– What context and background

information do you need?

• Suggestions for the 2-3 response questions

13http://www.cs.virginia.edu/evans/wass

Responses• Short answers to questions about the

focus paper– 3 generic questions– 1-3 specific questions– Feel free to add any additional brilliant

ideas you have

• Turn in (on paper) at beginning of seminar

• Come prepared to the seminar to discuss the paper

14http://www.cs.virginia.edu/evans/wass

Projects• Goal: do something interesting and

important enough to write a conference paper

• Teams: alone or in a small group• Topic: anything you can convince me

is relevant and worthwhile• Start thinking of ideas, finding

teammates now: mini-proposal due Oct 2

15http://www.cs.virginia.edu/evans/wass

Questions?

• Sign up on registration sheet• Sign up on schedule sheet:

– One time as topic leader– One time as assistant– Don’t need to fill in topic now

• Thursday: MashupOS – Response questions on website