Joe Basirico

Vice President, Security Services

HTML 5 Security

• What is HTML 5.0?
  o New features
• HTML &  Security
  o Cross Origin Resource Sharing (CORS)
  o Local Client Storage
  o Local Storage
  o WebSQL
  o New tags and attributes
  o Web Workers
  o Sandboxing iframes
  o GeoLocation
  o Optional content – would be included in a training session
• Cross Document Messaging
• WebGL
• Desktop Notifications
• SVG and new formats
• Speech input mechanisms
• Web Sockets
• Cross Origin Resource Sharing (CORS)
  o CODE EXAMPLE:  header injection
  o Cross domain restrictions
  o Header injections 
  o Cross and distinct-origin security
• Content Security Policy
  o Unobtrusive Javascript
• Web Storage & WebSQL
  o Web Storage (key-value pair)
• localStorage
 and sessionStorage
• Increased attack surface
• Privacy concerns
• Risk of cross-directory attacks and client side SQL injection
  o Web SQL
• CODE EXAMPLE: exploiting WebSQL
• New Tags and Attributes
  o Automatic client-side validation
  o Native controls in the browser
  o Event attributes for JavaScript injection
  o Increased risk of new browser bugs
  o New form functionality and security implications
• CODE EXAMPLE:  new form code
  o New input types and security implications
  o New event attributes and security implications
• Javascript injection targets
• CODE EXAMPLE: Javascript injection via onerror or other events within new tags
• Web Workers
  o How new JavaScript functionality makes exploiting easier
  o Exposure to race conditions in browser
  o Creates platform for
• DDoS attacks
• Botnets
• Reverse Shells
• Distributed Rainbow Tables
• GeoLocation
  o Threat of personal information leakage breaks
  o Threats & attacks
• User tracking
• Physical movement tracking
• User correlation across domain
  o Countermeasures
• Sandboxing iFrames
  o Enables extra restrictions on content hosted by the iframe
  o Being careful with REMOVE restrictions

  

Bio:

Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and test engineer to direct the security consulting team in the delivery of high-­‐quality, impactful risk assessment and remediation solutions to the company’s customers. His ability to blend deep technical skills with risk-­‐based business and compliance analysis are a powerful combination; and, his unwavering commitment to customer satisfaction makes him an invaluable asset for each Security Innovation client with whom he works.

Joe has spent most the majority of his professional career analyzing application behavior with respect to security. He has researched how software development organizations mature over time from a security perspective. Through this research, he has developed an understanding of application threats, tools, and methodologies that assist in the discovery and removal of security problems both software-­‐ and process-­‐ related. To keep his technical skills honed, Joe participates in SDLC process assessments and security engineering activities such as security design and code reviews, threat modeling, and application penetration testing on a regular basis. He also is an active trainer and mentor for select client accounts.

Joe has evolved a keen understanding of software security root cause analysis in his 9+ years with Security Innovation. His application risk acumen, coupled with his hands-­‐on experience analyzing a plethora of commercial software, makes him a trusted advisor and is a “go to” resource for specialized training and critical consulting services. He has worked on projects directly for Microsoft, Amazon.com, Symantec, OWASP, HP, US Courts, Sears, and others during his tenure with the company.
Joe is an active member in the security community, having contributed methodologies, technology, and training. He manages the company’s engineering blog and has written several publications that focus on source code level vulnerabilities. Joe holds a B.S in Computer Science from Montana State University.