Defending web applications, particularly when they are running as SaaS service or in multi-tenant hosted environments, is one of the hot topics for developers at the best of times, and certainly so this year as Cloud services start to penetrate deeper in to the IT infrastructures of businesses.
Web security for developers
One of the experts in this field is Dr. Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute, who will be covering this very subject as part of a course the Institute is running in Stuttgart, Germany, in March. Places cost over $3,000 a seat, but there are, apparently, still a few available.
This will be the first time `SANS DEV522: Defending Web Applications Security Essentials’ has been run in the EMEA region and is intended for anyone tasked with implementing, managing, or protecting Web applications. As well as looking at new software development areas like Cloud and SaaS, it will also cover more immediate and common threats, such as SQL injections, in some detail.
The course is designed to help developers build and protect applications as outlined by the Open Web Application Security Project (OWASP) Top 10 list of risks, as well as evolving threats which are emerging as software moves into the cloud.
As a source of good information on best practice and guidance in web security Dr. Ullrich points the not-for-profit Cloud Security Alliance. This is also a good source for information on emerging industry standards and as a check-list for developers to use when selecting a base platform.
One good practice Dr. Ullrich is likely to highlight during the course is tokenisation, a process that replaces sensitive data with a value that is not considered sensitive in the context of the environment. It is already being used to safely communicate credit card data over the web, and can also be used with randomisation techniques to strengthen applications that use shared, unencrypted data sources.
SANS Germany 2012 will take place at Arcotel Camino in Stuttgart from 5th to 10th March 2012. More information can be found at http://www.sans.org/germany-2012