Enabling Secure Business Operations

Attend my Peer2Peer Session at the RSA Conference!

February 9th, 2012

And now it’s time for a commercial message. I was selected to be a Peer2Peer session facilitator for the 2012 RSA conference, taking place February 27-March 2 in San Francisco. My session is entitled Improving Security Policy: What Works? The session will occur February 29 at 8am, more details are at this link.

I plan to facilitate discussions about both what is wrong with Security Policy, and what works to improve it. Google’s new privacy policy will likely come up in discussion, along with some of my notions on prioritizing policy.

I invite all those who have had to write policy, read policy, and/or put policy into practice to attend. It should be a good discussion, and when we’re done I expect everyone will have learned some things that they can put into place the next time they are writing or editing security policy.

Post to Twitter Post to Facebook

Posted in RSA Conference by Peter Hesse | Comments Off

How a Platform Using HTML5 Can Affect the Security of Your Website

February 1st, 2012

tl;dr Abstract

To improve performance, particularly for mobile users, many websites have started caching app logic on client devices via HTML5 local storage. Unfortunately, this can make common injection vulnerabilities even more dangerous, as malicious code can invisibly persist in the cache. Real-world examples of this problem have now been discovered in third-party “widgets” embedded across many websites, creating security risks for the companies using such services – even if their sites are otherwise protected against attacks. Striking a balance between security and performance can be difficult, but certain precautions may help prevent an attacker from exploiting local storage caches.

Background

Throughout the history of web development, people have found ways to use and abuse various technologies beyond their intended purposes. Before CSS gained widespread support, many developers created complex layouts with HTML tables. Now that browsers provide far more presentation-layer tools, one can recreate complex images using only CSS. Such tricks can at times be very helpful in overcoming the limits of a browser-based environment, but they can also inadvertently create security issues.

Read the rest of this entry »

Post to Twitter Post to Facebook

Tags: , ,
Posted in cool, hacking, software by Joey Tyson | 1 Comment »

You are currently browsing the Security Musings blog archives for February, 2012.

Contact

Twitter Updates

Recent Posts

Archives

Categories

© Gemini Security Solutions, Inc. 2012. All Rights Reserved.       Privacy Policy