Your Web Stack Would Betray You In An Instant

Securely setting up a web stack security today is a tricky balancing act, as you gingerly balance frameworks and services and tools all atop one another, ever higher, to get all mod cons happily running together safely and correctly. One web stack security flaw though, and the whole pile tumbles down on you to throw your customer passwords to the world.
In this talk we take a stroll down a huge variety of tools in a modern web stack, across a selection of languages and platforms, and examine some recent major security breakages in each layer to see how they work and why. With any luck we can work out how to avoid this sort of thing in future too, when either using or building such tools, but if all else fails we can at least relax from all the careful balancing with a little schadenfreude.

Audience Learnings

Common security failings you should watch out for when developing your own applications or libraries, and a selection of practices to help limit the risk you’ll be hurt by other’s failures to watch out for those.

Structure

• Introduction
• Detailed discussion of a vulnerability at each level of the web stack (Rails, PHP, Apache, Postgres)
• Discussion on how they could’ve been avoided within the tool
• Suggestions for practices to minimize your risk from such problems in other’s toolsSpecific vulnerabilities
• Closing

Prerequisites

Very few, this will be generally applicable to most software developers with at least a year of experience or so, and should be mostly followable even to people with substantially less (although probably not as useful).

More specifically, it would be good to have some general knowledge of programming, a basic awareness of common components of a web stack and how they relate (a web framework, a language, a webserver, a DB, etc), and some high-level knowledge of HTTP.