Integrate 2015

As an overwhelming number of applications are created or move to the cloud, web application vulnerabilities are skyrocketing. This talk will dive into the latest web attack vectors and how you can protect your web applications and API’s. Some example areas that will be touched on are DDOS, XSS, CSP, SQL injection, HSTS and PKI.

A Content Delivery Network's vast insight into the full range of web attacks against both its customers and itself is unique, leveraging data on the delivery of hundreds of Gbps (Gigabits per second) of static and dynamic Web content Web applications and API’s are the preferred targets of attackers these days given the continued move of applications and API’s to the cloud as well as the damage that can be caused (password dumps, payment data theft, defacement, etc.). 

The vast majority of developers gloss over security when building applications, instead trying to “bolt it on” after the fact “if their site gets popular”. There are far too many high profile compromises that were the result of poor web application security. There are plenty of talks that dive into “desktop” and “behind the firewall” malware and vulnerabilities, but very few that target web exploits and attacks.

The talk will examine some traffic replays of what the web attack looked like, what the attacker was targeting, as well as the technologies that were used to block the attack. Most developers have no idea what DDOS, XSS, CSP, HSTS etc. are but these are critical for the availability and security of a web application. 

The talk will also cover some of the latest improvements in Web PKI (SSL/TLS) that a website should absolutely be using for their web stack. The PKI / TLS discussion is especially relevant given the continued turmoil around governments snooping on end user traffic. There are few resources on the web about how you should configure SSL/TLS, and this talk will go over the proper setup to make sure web application end users are protected.