Web 2.0 - love it or hate it, the technology driving the highly interactive web experience is in your browser and coming to your enterprise. Securing Web 2.0 requires extraordinary means due to the increased attack surface, new breed of "Web 2.0 developers" and increased visibility of sites and applications. Understanding the risks associated with Web 2.0 and beyond is essential to building "less risky" web applications into the next phase of the web. This talk focuses on how 2 prevalent technologies; AJAX and Adobe Flash!, create the potential for catastrophic failure. Focus is given to understanding each technology's attack surface, most common security failures, and exploitation of common coding mistakes. This workshop-style walk-through of the Web 2.0's ugly underbelly will give participants a deeper understanding of why security professionals are terrified of "highly interactive web technologies" and why we say that "everything old is new again".
Senior Security Consultant with Hewlett-Packard's Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs.