PINT CEO Thomas Powell Gives Presentation on Web App Security

by | June 13th, 2012

Today, PINT CEO Thomas Powell (@thomasapowell) presented at Commnexus’s Security SIG event, “Securing the Enterprise: An In-Depth Look at Modern Day Cyber Attacks,” along with Senior Channel Security Engineer Brian Anderson of Imperva.  Thomas’s presentation covered the current landscape of Web application security, including Web security myths and ways in which many common sites and Web apps contain security flaws.

Key notes from the presentation:

Many Ways to Hack
There are lots methods to hack and ways to be hacked (see: OWASP Top 10).  SQL injection and cross site scripting are two of the most prominent, but it usually comes down to not protecting inputs and sensitive adequately.

Bad People Exist
Bad people exist on the Internet, after all the Internet is the real world.  However, there is a perception that the Internet is a free, open, and safe place.  This is false, people commit crimes on the Internet in the same ways they do in the real world

Why Hack?
There are many reasons people hack sites.  Some do it for fun by defacing sites or adding fake articles.  Some do it for money; there is a lot of money out there to be made on the black market.  Some people are hacktivists, and hack for a cause.

Malicious Traffic is Everywhere
Hacking bots are constantly poking sites to try to find weaknesses to get in.  However, bots and hackers don’t run JavaScript when they visit a site.  What does this mean?  It means they won’t show up in Google Analytics (or many other analytics platforms), rendering this malicious traffic effectively invisible – unless you look for it in log files.

Never Trust Inputs
Trusting user inputs is dangerous.  Allowing users to input anything into your fields is any easy way to get hacked and can lead to attacks like SQL injection or cross site scripting.

An Issue of Trust
There are trust relationship issues with users online.  Users are typically trusted too much to not do bad things, but in reality users should only be allowed to do what they absolutely need to do – nothing more.

A Human Problem
Many think that Web security is a technical problem that is created by the existence of advanced Web apps.  The truth is, though, Web security is a human problem.  All the security in the world won’t protect your system from a user who uses his/her the same company passwords for their LinkedIn password or browses private documents over public WiFi networks.

It’s a Mindset
Many believe that Web Security is a feature that you can purchase through a security vendor.  Security is really a mindset, not a feature.  It is something that needs to be practiced every day through ongoing updates, testing, and reviewing of security policies.  When a change is made in an app or a system, security needs to be revised.

Web Security as a Corrective Action
Oftentimes Web App Firewalls deployed as a corrective action for vulnerabilities that were created during the development process.  The need for corrective action can be avoided through stronger and more secure Web development practices, which will ultimately yield more secure Web apps.


EvoNexus – A CommNexus Incubator
Prior to the security talk, we learned about the CommNexus community-supported, pro-bono incubator program, EvoNexus, which has recently linked up with Qualcomm to provide even more growth and opportunity for area startups.
A few EvoNexus statistics to date:

  • $82M in total venture funding raised by companies
  • 22 companies currently incubating
  • 6 successful graduates to date
  • 300+ jobs created

Thanks to Imperva and Knobbe Martens for sponsoring the event!