150 likes | 161 Vues
Explore the changing landscape of web application security, including classic security principles and the protection of personal information. Prepare for leading a topic, discussions, and project presentations.
E N D
Web Applications Security Seminar David Evans University of Virginia 28 August 2007
Welcome! • Brief Seminar Intro • Sign Up Sheets
No perimeters HTTP = UFBP
Dynamic Rapidly Changing Distributed State
Composed content Complex trust models Personal Information
Real money from virtual actions Competition, fraud, incentives (This is a hoax)
Some things don’t change? • Most Classic Security Principles Still Apply (but get much harder...) • Economy of Mechanism • Fail-safe Defaults • Complete Mediation • Open Design • Least Privilege • Psychological Acceptability • Least Common Mechanism • Separation of Privilege Saltzer & Schroeder, The Protection of Information in Computer Systems, 1973
Seminar Expectations • You already know something about security • Basic understanding of cryptography (e.g., public key crypto, SSL) • System and software security • Minimal web application knowledge expected • Java, AJAX, JavaScript, PHP, Python, Ruby
Seminar Meetings • Tuesdays and Thursday, 11am-12:15 • One student (with help from an assistant) will lead a presentation on a topic • All students will read focus paper(s)
Leading a Topic • Topic leader and assistant • Focus paper (sometimes two) • Background and context papers, other sources, “hands-on” experience • Meet with me at least a week before your scheduled presentation • Office Hours: Mondays 10:30am, Tuesdays 12:15pm (or email to schedule other time)
Pre-Presentation Meeting • Plan for your presentation • What is the main story you want to tell? • What technical nuggets are worth explaining? • What context and background information do you need? • Suggestions for the 2-3 response questions
Responses • Short answers to questions about the focus paper • 3 generic questions • 1-3 specific questions • Feel free to add any additional brilliant ideas you have • Turn in (on paper) at beginning of seminar • Come prepared to the seminar to discuss the paper
Projects • Goal: do something interesting and important enough to write a conference paper • Teams: alone or in a small group • Topic: anything you can convince me is relevant and worthwhile • Start thinking of ideas, finding teammates now: mini-proposal due Oct 2
Questions? • Sign up on registration sheet • Sign up on schedule sheet: • One time as topic leader • One time as assistant • Don’t need to fill in topic now • Thursday: MashupOS • Response questions on website