Ajax and Web applications in general present some unique and difficult challenges in security. Keeping data and code protected from intrusion and theft remains one of the most important aspects of Web application design and implementation. This track presents best practices for securing applications based on coding techniques for handling security holes and other opportunities for compromise and theft.

Security Sessions:

More Related Sessions:


Advanced Web Application Security

Joe Walker, Creator, Direct Web Remoting (DWR); Director, Support & Development, SitePen

The security landscape is always changing. Unless you are aware of CSRF, JavaScript Highjacking, and the many ways to fool an XSS filter, it's likely that your Web application will not be secure. JavaScript, CSS and even simple HTML elements are now used against websites. This session outlines the challenges and the options for protection, for site owners and web users.

Attend and gain a firm understanding of:

  • Security challenges particular to a Web 2.0 world;
  • CSRF, Anti- JavaScript hijacking, fooling an XSS filter;
  • How to protect yourself, from both the point of view of site owners and users.

Beyond IFrames: Web Sandboxes

Scott Isaacs, Author, DHTML specification; Web Sandbox project

Today web gadgets, mashup components, advertisements, and other third party content on websites either run with full trust alongside your content or are isolated inside of IFrames. As a result, many modern web applications are intrinsically insecure, often with unpredictable service quality. Being aware of security issues and possible solutions to avoid compromising security are of prime importance to help make the web a more secure place.

Find out the key challenges in Web Security and learn about the Microsoft Web Sandbox open source framework that runs on all modern browsers and builds on the ongoing ECMA TC-39 security working group efforts.

Attend this session to learn:

  • Key challenges in Web security;
  • How a website can expand its client experience with third-party scripts without compromising user trust or site stability;
  • How a site can control the policies that define the integration;
  • How the Microsoft Web Sandbox is addressing these challenges by virtualizing both script execution and the DOM;
  • And more.

Panel: Secure Mashups: Getting to Safe Web Plug-ins

Douglas Crockford, Creator, JSON; Author, JavaScript: The Good Parts

Secure JavaScript is coming, and this panel of engineers from four internet powerhouses will discuss the emerging consensus among implementers and how secure JavaScript allows for new kinds of application mashups driving the web today.

Led by JavaScript expert, Douglas Crockford, panelists discuss how mashups and social networks have security requirements not easily addressed by current methods, and how the various secure JavaScript variants address those problems, and open up new opportunities for web application developers.

Panelists include:

  • Marcel Laverdet from Facebook who will discuss FBJS, the first secure mashup scheme to tame HTML, JavaScript and CSS.
  • Mike Samuel from Google who will discuss Google's Caja project, which has similar goals but uses a pure-whitelisting approach, addresses the defensive and offensive code problems, and uses code analysis to improve performance.
  • Scott Issacs, inventor of DHTML, who will discuss WebSandbox from Microsoft's LiveLabs which focuses more broadly - instead of focusing solely on security it also tackles "quality of service issues" providing, amongst other things, a pause button for web applications.

Attend and dive deep into emerging security threats seen on social networks which include third-party gadgets with executable code. These pieces of third-party code violate the assumptions made by the same-origin model, that script on a web page is authored by the same person or group that authored the containing page. Participants discuss where the same-origin model breaks down, how new security models repair these problems, and the new opportunities available with the new models.

You'll learn about growing security threats not addressed by existing iframe jailing practices and new ways of dealing with these threats and other security threats posed by dynamic third-party content. You'll also learn how these schemes can smooth over cross-browser incompatibilities and how the security analysis done by these schemes can help with testing and debugging of complex web applications.

View the Full Agenda
Register Now!