19 May 2009

Can An Accessible Web Application Be Secure?

"Can An Accessible Web Application Be Secure" was the title of my presentation at OWASP AppSec EU09 last week in Kraków, Poland.

Photo montage of computer (spelt komputery in Polish) shops, shop signs and adverts for Polish websites

Kraków is a beautiful, friendly and safe city, and was an excellent location for the well-organised conference which attracted delegates from all over Europe. The Open Web Application Security Project (OWASP) has the best resources, documents and tools on web application security, and it's all freely available, under an open source licence. All the presentation slides are now uploaded to the conference website for 13th May and 14th May, and video recordings will be added in due course. Most of the speakers were also interviewed for the OWASP Podcast.

Top left corner of the presentation template slide - the full presentation's URL is provided below

In my presentation I discuss how compliance requirements can lead to additional complexity and thus an increased likelihood of vulnerabilities. In the presentation I focus on accessibility, which has become an accepted part of many web site and web application development projects, especially those aimed at consumers or that belong to governmental organisations. The key standard in this area is the Web Content Accessibility Guidelines 2.0 which became a W3C recommendation in December 2008. I identified eight classes of security issues that people involved with specification, design and verification should be aware of. In particular, I examine 'alternative forms of CAPTCHA', 'flexible session timeouts' and 're-authentication recovery'. In conclusion, accessible web applications can be secure, but it adds complexity to the problem of securing the application.

The presentation slides and additional resources are available on the OWASP web site:

See also my related posts on Security Implications of WCAG 2.0 and What's the Scope for Accessibility Testing?.

Reminder: The OWASP London chapter meeting is this Thursday (21st May). It's free to attend, but prior registration is required for access to the venue (see the previous link for details).

Update 21st May 2009: Matt Tesauro, leader for the OWASP Live CD Project, has kindly given my presentation his "winner of my unexpected security problem of the conference" award in his posting Talks of Interest - Some Personal Notables from AppSecEU 2009 on the new AppSecLive.org blog.

Update 5th June 2009: The presentation video is now available on owasp.blip.tv.

Posted on: 19 May 2009 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Can An Accessible Web Application Be Secure?
http://www.clerkendweller.com/2009/5/19/Can-An-Accessible-Web-Application-Be-Secure
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/5/19/Can-An-Accessible-Web-Application-Be-Secure
Requested by 38.107.179.223 on Tuesday, 7 February 2012 at 21:42 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2012 clerkendweller.com