Techniques and Tools for Engineering Secure Web Applications

Subscribers:
345,000
Published on ● Video Link: https://www.youtube.com/watch?v=GVNTKwHnftY



Duration: 1:00:09
18 views
0


Web applications enable much of today's online business including banking, shopping, university admissions, and various governmental activities. Anyone with a web browser can access them, and the data they manage typically has significant value both to the users and to the service providers. Cross-site scripting (XSS) and SQL injection are classes of attacks in which an attacker interacts with a client or database, respectively, through vulnerabilities in the server thereby gaining the trust level of the server. These classes of attacks are pervasive: since 2005, they have been the most frequently reported classes of vulnerabilities. These vulnerabilities arise because web applications' layers (client, server, and database) communicate via unstructured strings, and validating untrusted input for use in these commands is error-prone and introduces a challenging software engineering problem. In this talk, I will present a general characterization of these classes of input validation-based errors and a set of dynamic and static techniques to detect and prevent XSS and SQL injection attacks. Programmers usually do not specify their intentions explicitly regarding SQL query construction, but I will show how we can use principled techniques to characterize programmer intentions. We can then prevent attack queries from being sent to the database with a low-overhead, runtime check that precisely distinguishes legitimate queries from attacks. In order to help find bugs early in the software development process, I also pursued static analysis, and I will describe a sound and precise analysis that scales to large, real-world web applications and found known and unknown SQL injection vulnerabilities. I will further present how we extended this static analysis to the related but more difficult problem of XSS. I will conclude this talk by discussing future challenges in this domain.




Other Videos By Microsoft Research


2016-09-06Reconstruction and visualization of large photo collections
2016-09-06Media Computation: Introducing Computing Contextualized in Video and Audio Processing
2016-09-06MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition
2016-09-06Computational Insights Into the Social Life of Zebras and Other Animals
2016-09-06Debugging Reinvented: Asking and Answering Why and Why Not Questions about Program Behavior [1/17]
2016-09-06CitySense: A Vision for an Urban-Scale Wireless Sensor Testbed
2016-09-06Why task-structure matters: The effects of task and social forces on software development
2016-09-06Robust Face Recognition via Sparse Representation
2016-09-06How to make Discretionary Access Control Resistant to Trojan Horses
2016-09-06Modeling Intention in Email: Speech Acts, Information Leaks and User Ranking Methods [1/2]
2016-09-06Techniques and Tools for Engineering Secure Web Applications
2016-09-06Should Machines Emulate Human Speech Recognition?
2016-09-06PLOW: A Collaborative Task Learning Agent
2016-09-06Building Bodies of Knowledge about Software Development Practices
2016-09-06The Manticore Project
2016-09-06Abstractions for event-driven design [1/14]
2016-09-06Generation of dense linear algebra software for shared memory and multicore architectures
2016-09-06The Computation of Economic equilibria [1/2]
2016-09-06Class Morphing: Safely Shaping a Class in the Image of Others [1/3]
2016-09-06Deep Photo and Gigapixel Images
2016-09-06Automated Revision of Distributed and Real-Time Programs



Tags:
microsoft research