Strategy: Browser Security
High Noon: The Browser as Attack Vector
The browser has been a hot topic in security discussions for 10-plus years, since Web applications became popular during the first dot-com boom. Back then, concerns mainly focused on the applications themselves. But beginning with the Web 2.0 boom and accelerating with today’s popular SaaS model, new attack techniques are exploiting browser flaws and leading to the compromise of user applications, systems, networks and ultimately data.
The rise of these threats accompanied use of new languages, such as Ajax, and the extension and increased use of existing technologies like JavaScript and Flash. Attention to Web applications in turn drew into question the security of popular browsers. Attackers began to examine flaws and build exploits to trick users into visiting fake or compromised sites and opening malicious files.
The reality is, content and applications are now consumed from outside the company firewall and from remote systems. In our recent InformationWeek Analytics cloud surveys, SaaS providers like Salesforce.com and NetSuite are by far the top choice of respondents.
There’s no going backwards. Attackers have myriad ways to compromise users and systems and attempt to penetrate the internal network. IT organizations are left in the difficult position of trying to protect their organizations while being denied control over the application interface. Here’s what you need to know about browser security. (S1530810)
Table of Contents
3 Author’s Bio
4 Executive Summary
5 Insecurity as a Service?
5 Figure 1: Types of Cloud Providers in Use: Strategic IT Management
6 Browser Blitzkrieg
6 Figure 2: Drivers for Monitoring Employee Activity
8 En Garde
8 Figure 3: Anatomy of a Mass SQL Injection Attack
10 Call in the Big Guns
11 Figure 4: Web 2.0 Protection Methods
12 Ignorance Kills
13 Which Browser to Pick? You Mean We Have a Choice?
About the Author
Adam Ely is director of security for TiVo. As an InformationWeek Reports contributor, he has authored multiple research reports on data and code security. He previously led a software development group at Walt Disney Co., where he implemented secure coding standards and source code analysis processes.
Adam gained extensive experience with enterprise and cloud security while supporting applications and services for clients such as AmEx, Citi and Expedia as manager of information security with TRX. He has published numerous security vulnerabilities and papers and conducts security research with leading firms to advance threat analysis and protections.
Adam currently serves as a member of the Journal Editorial Review Committee for ISACA and sits on the advisory board for an information security consulting firm. Adam has released numerous application vulnerability advisories, authored and contributed to open source security applications, and is the co-author of the Center for Internet Security Tomcat Benchmark.
He holds an MBA from Florida State University; a BS in information technology from Capella University; and multiple certifications, including CISSP, CISA, NSA IAM and MCSE.
Be the first one to comment.