Web security News - 12/14/2006 Application Security Predictions of 2007

News

Web Server Security

Phishing

Database Security

Application Server Security

Library

Vulnerability Archive

Secure Development

Web Services

Pen Test

AJAX

Application Firewalls

Main -> Internet Security News

TOPIC'S

Advertising

Old News

About

Resume

Contact

FAQ

Irc

Links

Books

Demos

Papers

Downloads

Advisories

Contributions

Security Services

Submit News

Syndicated News

Hosting generously provided by

www.mv.com

12/14/2006 Application Security Predictions of 2007

Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. - Robert (admin@cgisecurity.com)

Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex

The next big buzzword is going to be Rich Internet Applications (RIA) even if you don't like it. We haven't seen the end of thick client side applications as Microsoft (in WPF .NET 3.0), mozilla's (XUL) and Adobe (Flex) are going to show us. These RIA applications are going to change the way we use the web there's no doubt, and I'm not just jumping on the hype wagon early. Users will begin to see these applications appear, get used to them and expect them to some extent. RIA is the next AJAX (Double meaning implied :).

XSS, Phishing and Worms will continue

Cross site scripting isn't going away and as a matter of fact is only becoming more and more useful. Worms crossing over to handheld devices wouldn't be surprising. Even worms borrowing CPU cycles to perform a task in a similar fashion to applications like SETI and distributed.net wouldn't be to surprising. Attacking larger communities involving banking transactions with both phishing and XSS utilizing CSRF will begin which is a nice segway to my next prediction.

Cross Site Request Forgery Will emerge

CSRF is in its infancy and is now what XSS was 4 years ago. The power of Cross Site Request Forgery will become apparent once the first site exploited for financial gain reaches the media. Once money theft becomes involved expect regulatory changes including possible compliance guideline changes. Frankly I'm beyond surprised that a web worm hasn't taken advantage of this already.

Web Feed Exploits

I gave a talk last year at blackhat about rss and atom feed vulnerabilities and included it in my list of 2006 predictions (so I had a little inside knowledge big whoop :). Since that talk multiple advisories have been published and people are slowly starting to catch onto the things that you can do with Web Feeds including how they are used. Expect more from this area as well as a potential worm.

The Browser History Theft Business

As I spoke about previously it is possible for a marketer/attacker/person to identify which websites that you've visited, how you got there, and which pages you visited on that website by exploiting functionality in CSS. This can be used by phishers to see which sites you frequent to identify which website they should be phishing next. Expect to hear more about this in the upcoming year. Read this post for more information on what can be done.

Last Years Predictions: 12/31/2005 Application Security Predictions For The Year 2006
Link to this Story: 12/14/2006 Application Security Predictions of 2007
Link: Have a Site Suggestion, Material Request, or News? Submit it!
News RSS Feed: Web Security news RSS Feed