We are going to discuss what could happen if you fail to adequately protect your websites, apps, services, and APIs, and why entire companies have gone out of business and countries have gone offline due to improper security controls.
- Cross-Site Scripting (XSS): a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
- Samy Worm: An XSS worm that spread throughout MySpace in the mid-2000s caused by famous security researcher Samy Kamkar.
More about XSS - Cross-site Scripting (XSS)
Technical explanation of Samy Worm, or JS.Spacehero worm, from Samy Kamkar
Links to details and story from Samy Kamkar on Samy Worm
World’s Biggest Data Breaches visualization
Ashley Madison Hack, by Dan Goodin
The hacker who broke into Mark Zuckerberg's Facebook page will get a $12,000 reward from online donors, by Joshua Gardner and Hayley Peterson
KrebsOnSecurity on Equifax by Brian Krebs
Equifax data breach: What you need to know by Kaya Yurieff
When you fail to protect your web applications, you put your users and 0:00 your company at risk. 0:04 In the early days of the Internet, 0:06 security wasn't as big an issue as it is today. 0:08 One of the earliest web application vulnerabilities was known as 0:12 a Samy worm and it was exploited by the now famous hacker Samy Kamkar. 0:16 Back in 2005, the MySpace social network was thriving among people 0:21 with the desire to connect and discover new ways interacting online. 0:25 Keep in mind, this was before Facebook was widespread and 0:31 only a few years after the Internet really took off. 0:34 Samy Kamkar discovered a way to use cross-site scripting, or 0:38 XSS, to place the string. 0:43 But most of all, Samy is my hero in each user's profile and 0:45 send Samy a friend request. 0:49 Within 24 hours of the worm's start, over 1 million users had been affected and 0:51 Samy had 1 million new MySpace friends. 0:57 Essentially, Samy placed a block of code on his own page. 1:01 And when anyone else viewed his page, 1:05 they would also get that code placed onto their page via cross-site scripting. 1:07 Then, when someone viewed that page, 1:13 the code would be placed onto their page as well. 1:16 Eventually, this spread to tens, and hundreds, 1:19 and thousands of users' pages in a matter of hours. 1:22 Via a seemingly harmless cross-site scripting attack, 1:27 Sammy took MySpace offline. 1:30 The worm put an incredible load on the MySpace servers and 1:33 millions of users were affected. 1:37 Later that year, Samy was sentenced to three years probation and other charges. 1:39 But now, he's one of the most famous and 1:44 well-respected security researchers on the planet. 1:46 Unfortunately, the kinds of attacks and attackers out there, today, 1:50 do far more harm than Samy did and they are more advanced than ever before. 1:54 They can wreak havoc on your website through hundreds of different and 1:59 well-known exploits. 2:03 It is up to everyone, the developer, technical manager, and 2:05 product owner to secure their software. 2:09 Notable examples of web security flaws include a recent Facebook flaw 2:13 where any user could post on any other user's profile. 2:17 The researcher who discovered this flaw was actually ignored by Facebook. 2:21 To prove his point, he decided to post on the wall of Mark Zuckerberg, 2:26 the founder and CEO of Facebook. 2:30 An even worse attack was the 2015 data breach on the Ashley Madison website. 2:33 This site facilitated extra marital affairs. 2:40 Millions of users data were made public. 2:43 Though the attack on Ashley Madison was not caused by a web security 2:47 vulnerability, the passwords stolen were hashed poorly and 2:50 could be cracked easily by programs available to anyone. 2:55 Finally, an attack on Equifax discovered in July of 2017 3:00 was caused by a web security vulnerability that allowed attackers to download 3:04 files that they should not have been able to access. 3:09 The Equifax attack exposed upwards of half of the US population's 3:13 social security numbers, birth dates, credit card numbers and 3:18 driver license numbers to criminals who could use the data for 3:23 massive financial fraud and identity theft. 3:26 As you can see, when you fail to protect your web applications, 3:30 not only can you ruin your own job, but you can ruin the lives of hundreds of 3:34 millions of users financially, emotionally and psychologically. 3:39 Security exploits are no longer as benign and 3:45 innocent as acquiring one million online friends in less than 24 hours, 3:48 it concerns people's livelihoods and well-beings. 3:53 As a technical person, you are in charge of making sure that these things 3:56 never happen to the services you build or maintain. 4:00
You need to sign up for Treehouse in order to download course files.Sign up