Internet Security Systems - AlertCon(TM)

CSI 2008 – Web Security, Cloud Computing and the Man-in-the-browser

Posted by Gunter Ollmann on November 16, 2008 at 10:04 AM EST.

This weekend marks the start of the CSI 2008 Conference at the Gaylord National Resort and Convention Center in Maryland, and it’ll be the second year I’ve presented at the conference. The conference itself is a little different – and sort of fits somewhere between RSA and Blackhat in the spectrum of attendees and topics covered.

I’ll be speaking at two sessions on Tuesday.

Session One...

The first session is actually the Web 2.0 Security Summit – running from 9:45am through to 2:45pm – and is designed to be an open panel, interspersed with a few discussion topic presentations. The panel speakers are Jeremiah Grossman (Chief Technology Officer, WhiteHat Security, Inc.), Tara Kissoon (Director, Information Security Services, Global Information Security Office, Visa Inc.), Robert Austin (President, KoreLogic), Trey Ford (Solutions Architecture, WhiteHat Security), Romain Gaucher (Security Consultant, Cigital Inc), Robert Hansen (CEO, SecTheory LLC) and me.

The abstract for the panel is:

Adopting Web 2.0 as the new, user-centric, service-oriented platform offers both irresistible business opportunities and undeniable security threats. The nimble, responsive, really-listens-to you nature of Web 2.0 relies upon insecure scripting languages. The SOAs so appealing to users and compelling to businesses may provide ways for attackers to stroll right through your perimeter and make a bee line for your crown jewels. Learn more about the security risks of Web 2.0 (including social networking, SaaS, Google Apps, cloud computing, etc.) and how to measure the security of your Web applications. Discuss how to embrace Web 2.0 now as securely as is currently possible, and how to effectively work with Web developers now to head off the Web security problems of the future.

As part of the panel I’ll be doing a 30 minute discussion on Cloud Computing and what that means for Web 2.0. It’ll be an interesting phase of the panel discussions because most people don’t actually know what cloud computing is really about and what its security implications are.

Here’s a preview of a couple of the slides I’ll be using in the discussion…

Session Two...

In the afternoon, a short time after the panel session, I’ll be speaking again from 4:00pm to 5:00pm on the topic of Man-in-the-Browser Attack Vectors. This hour-long session will be going in to some detail as to the current state of the art in man-in-the-browser attack technologies I’ve been observing of late.

The abstract of the talk is:

Man-in-the-middle attacks have evolved—the attacks are more personal and the attack front line has shifted into the Web browser. Investigate how man-in-the-browser attack vectors evolved, how they function and what the ramifications for Web 2.0 will be if businesses lose trust in and lose the trust of the Web browser.

Again, by way of preview, here are a couple of slides from the presentation…

So, if you’re at the conference – drop on by, and join the discussions.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.