Techniques in Attacking and Defending XML/Web Services

Mamoon Yunus and Jason Macy gave this presentation with an overview of XML/Web services and how the usual security rules apply to this area.

Review of the problems with XML/Web services

Still have all the normal problems.

  • Firewalls are not aware of the xml content
  • Malware and viruses (or xss) can be included in the content depending on what context the xml data is used.
  • WSDL exposes the schema and message structure
  • Injection attacks are possible via the XML parameters
  • Data replay is still possible
  • Denial of service is still possible, especially with parameters

Cloudy with a chance of zero day

This was a presentation by Jon Rose and Tom Leavey of Trustwave. They started off with about 15 minutes worth of cloud background. The problems (and potential problems) they identified were:

  • Vendor lock in may come up since the Amazon cloud is somewhat different from writing for Google's App Engine which is different from...
  • Enterprise ready vs. experimental, meaning that most uses of the cloud right now are non-mission-critical.
  • Forensics in the cloud are somewhat harder to perform since you can't necessarily get the log files.

Drupal Security presentation slides from BADCamp

At the Bay Area Drupal Camp yesterday I presented on Drupal Security for site administrators and beginners which covered some of the important ways you can protect your site from attacks through configuration of Drupal core. Attached are the slides from the presentation.

Drupal Security webinar with Acquia roundup

This past Thursday several hundred folks joined me for a webinar about security in Drupal as part of the Acquia webinar series.

You can now download the Security in Drupal introduction slides which include the speaker's notes and watch the screencast itself:

Drupal text filtering decision cheat sheet

This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.

I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!

Syndicate content