Nice…after many years of trying to get coding students to understand why one can’t directly access cross-domain resources and Web security students to understand its implications, the fourth IE10 Platform Preview features, amongst other things, support for CORS (cross-origin resource sharing). The full highlight list of HTML5-affected updates to IE can be found here but I am particularly gung-ho for the CORS and the video text captioning (which was always difficult in the past). It’s not that CORS wasn’t available in other browsers, particularly assisted by the including in the recent jQuery builds, but at least this sets the stage for better cross-browser compatibility in HTML5 applications.
Here’s a post on MSDN by Rob Mauceri with more details…
This coming week I begin a series in INF400 Web Security on a group of attack vectors that work hand in hand – XSS, XSRF, hidden manipulation and parameter tampering (then following it up with SQL injection). It’s pretty easy to demonstrate all these but the tough part comes with explaining how the attacker looks at potential vulnerabilities when the student does not have much experience with HTML or Javascript.
Trying to make sure we get through all of the course material I figure I have just about 4 hours to do a fast script review and then demonstrate it. I’ve put together 4 short demos that will hopefully show how the four vectors get exposed, how the attacker finds the vulnerability and then exploits them – a simple forum post, a simple chat, an (online) shopping cart and a social network community wall. What do you think – any ideas on how to approach it the lecture(s) and get the most across?
In teaching a class on Web Security (UNLV’s INF400 Special Topics in Informatics: Web Security), I spend a lot of time just trying to determine what topics I can cover. Despite a seemingly long semester – some 16 weeks – it is sometimes surprising how little one can actually cover in 40 hours of instruction.
It occurred to me in reviewing my notes from the time I taught it in the Spring (2010), that I ended up having to cover an inordinately large amount of basic background material. As I progressed through piecing the syllabus, I am finding myself looking for ways to streamline the ramping up process so we can get to the meat of it quicker.
For example, take the basic XSS (cross-site script) – just to even approach the topic, I have to consider that the student has a basic knowledge of the HTTP protocol (including headers, methods and responses), an understanding of browser comparatives (sandboxing and same-origin policy), a relatively good understanding of Javascript (and HTML for that matter), and willingness to spend time practicing and failing without getting frustrated. Or SQL injection the student needs a good understanding of the protocol, idempotency, RDBMS structures and the differences between engines, structured query language, and an understanding of the pass-through language (PHP, ASP, etc) along with how the forms interact and where lax validation and scrubbing might occur.
So I end up spending some 2-3 hours (which isn’t sufficient in the first place) just reaching the point that I can have a reasonable and engaging discussion about the dangers of XSS. And another 2-3 to do SQL injection. Add on top of that cross-site forgery, sidejacking, digital rights management, rogue CA, web server explots, caching breaches, DoS and DDoS, parameter polution and more, suddenly the 40 hours is gone very quickly.
I am also adamant that in a Web security course that students must have hands-on labs performing some hacking. In my experience, providing a platform for students to see and experience what a hacker eyes sees changes the perspective, giving them tools to think like the predator and seek better protection. Many of these students leave with a cognate in Cybersecurity (since UNLV’s now eliminated Informatics program is still an NSA Center for Academic Excellence – CAE – in cyber security).
My point is simply that there needs to be more. Students in any computer science, informatics, HCI, UX, web design, MIS or similar program should be required to take a course in Web Security and preferably more than one, simply because the material is so vast and quickly becoming more pronounced as the Web becomes increasingly part of the fabric of everyday life.
According to privacyrights.org chronology of data breaches, there were 342 million “records” breached from 2005-2009 alone. In 2010, another 167 million; this means 2010 had nearly 50% of the total breaches in the preceding 4 years – we’re almost reaching a geometric increase in such exploit. Of course this figure doesn’t include only records stolen through Web sources but as data becomes increasingly available and privacy only semi-transparent, it is sure to only add to this.
There is a prevailing need for more skilled workers with a good understanding of cyber- and web security, as much as the need for general public awareness. Just as computers and the Internet have become ubiquitous, so has the need for security in them.
[by Steven Snell at Smashing Magazine]
Communication is one of the foundational elements of a good website. It is essential for a positive user experience and for a successful website that truly benefits its owners. All types of websites are affected by the need for good communication in one way or another. Regardless of whether the website in question is an e-commerce website, a blog, a portfolio website, an information website for a service company, a government website or any other type of website, there is a significant need to communicate effectively with visitors.
Because of the significance of communication with visitors, it is an essential consideration for every designer and website owner and the responsibility of both. Unfortunately, communication is sometimes overlooked and takes a backseat to the visual attractiveness of a website. Ideally, the design and other elements that do the communicating work together to create a clear, unified message to visitors.
In this article, we’ll take a broad look at the subject of clear communication in Web design. We’ll start with a discussion of the primary methods of communication for websites and typical challenges that designers face. From there, we’ll move on to look at what specifically should be communicated to visitors and tips for implementing this in your own work. At the end, we’ll look at some of the goals that should be established in terms of communication when developing websites, as well as some of the results of having a website that communicates effectively.
[read the entire article at Smashing Magazine]