Secure Application Development with Ajax
In this seminar we'll examine the security concerns around Ajax applications, how they are exploited and how developers can mitigate the risks to their applications. Ajax security begins with a discussion of the Same Origin Policy (SOP) of JavaScript, this is one of the key security features of JavaScript. Next, we'll examine authentication and authorization concerns with Ajax and how the developer can avoid common pitfalls.
The remainder of the talk will focus on the role of data validation in Ajax based applications. We'll examine how attackers may abuse Ajax applications designed to bypass the SOP (i.e. mash-ups using Ajax proxies), dynamic code injection attacks and proper serialization/deserialization of XML and JSON data.
About Dean H. Saxe
Dean H. Saxe is a Managing Consultant at Foundstone, A Division of McAfee, where he is responsible for conducting web application penetration testing, threat modeling, code reviews, secure software development lifecycle (S-SDLC) design and implementation, and project management. Prior to joining Foundstone, Dean spent more than 8 years developing web application in Java and ColdFusion in a variety of industries. While working in the banking sector, Dean's interest in application security was sparked and has grown steadily over the past five years. Dean also provides client education services as a lead instructor of these Foundstone courses: Building Secure Software, Writing Secure Code: Java/J2EE, and Writing Secure Code: ColdFusion. Dean holds the CISSP and Certified Ethical Hacker designations.
When not working, Dean enjoying hiking, cooking, homebrewing and traveling the world.
