CS696 Talk

1
Web Applications Security Seminar
David Evans University of Virginia 28 August 2007
2
Welcome!

• Brief Seminar Intro
• Sign Up Sheets

3
Do Web Applications Change Security?
4
No perimeters HTTP UFBP
5
Dynamic Rapidly Changing Distributed State
6
Composed content Complex trust models Personal
Information
7
Real money from virtual actions Competition,
fraud, incentives
(This is a hoax)
8
Some things dont change?

• Most Classic Security Principles Still Apply (but
  get much harder...)
• Economy of Mechanism
• Fail-safe Defaults
• Complete Mediation
• Open Design
• Least Privilege
• Psychological Acceptability
• Least Common Mechanism
• Separation of Privilege

Saltzer Schroeder, The Protection of
Information in Computer Systems, 1973
9
Seminar Expectations

• You already know something about security
• Basic understanding of cryptography (e.g., public
  key crypto, SSL)
• System and software security
• Minimal web application knowledge expected
• Java, AJAX, JavaScript, PHP, Python, Ruby

10
Seminar Meetings

• Tuesdays and Thursday, 11am-1215
• One student (with help from an assistant) will
  lead a presentation on a topic
• All students will read focus paper(s)

11
Leading a Topic

• Topic leader and assistant
• Focus paper (sometimes two)
• Background and context papers, other sources,
  hands-on experience
• Meet with me at least a week before your
  scheduled presentation
• Office Hours Mondays 1030am, Tuesdays 1215pm
  (or email to schedule other time)

12
Pre-Presentation Meeting

• Plan for your presentation
• What is the main story you want to tell?
• What technical nuggets are worth explaining?
• What context and background information do you
  need?
• Suggestions for the 2-3 response questions

13
Responses

• Short answers to questions about the focus paper
• 3 generic questions
• 1-3 specific questions
• Feel free to add any additional brilliant ideas
  you have
• Turn in (on paper) at beginning of seminar
• Come prepared to the seminar to discuss the paper

14
Projects

• Goal do something interesting and important
  enough to write a conference paper
• Teams alone or in a small group
• Topic anything you can convince me is relevant
  and worthwhile
• Start thinking of ideas, finding teammates now
  mini-proposal due Oct 2

15
Questions?

• Sign up on registration sheet
• Sign up on schedule sheet
• One time as topic leader
• One time as assistant
• Dont need to fill in topic now
• Thursday MashupOS
• Response questions on website