WebFund 2014W Lecture 15: Difference between revisions

From Soma-notes
← Older editNewer edit →
No edit summary
Line 40: Line 40:


Last is most significant for web security
Last is most significant for web security
==Input validation==

Revision as of 18:42, 7 March 2014

Web Security

Security is (roughly):

  • confidentiality
  • integrity
  • availability

Cryptography (SSL, secure hashes) are tools for achieving security. But they are not the only ones.

Security really matters for web applications because, by design, most are accessible by anyone in the world.

Threat Models

  • what are the attacker goals?
  • how may they achieve them?
  • in other words, how are you in danger? What are the risks?

There are always attacks outside of your threat model.

Attacker Goals

  • steal private information (e.g., financial)
  • reduce availability
    • impact reputation
  • perform malicious operations (using existing functionality)
    • steal money
    • blow up a reactor
    • use application to achieve attacker's goals
  • monitor usage (spying)
  • data tampering

Points of Vulnerability

What access does the attacker have?

  1. hardware (chips)?
  2. physical/virtual access to machine?
    • burglary
    • "insider attacks": sysadmins, cloud providers
    • Digital Rights Management (DRM)
  3. malicious input

Last is most significant for web security

Input validation

Retrieved from "https://homeostasis.scs.carleton.ca/wiki/index.php?title=WebFund_2014W_Lecture_15&oldid=18750"