1 00:00:00,460 --> 00:00:04,610 When you fail to protect your web applications, you put your users and 2 00:00:04,610 --> 00:00:06,590 your company at risk. 3 00:00:06,590 --> 00:00:08,490 In the early days of the Internet, 4 00:00:08,490 --> 00:00:12,040 security wasn't as big an issue as it is today. 5 00:00:12,040 --> 00:00:16,496 One of the earliest web application vulnerabilities was known as 6 00:00:16,496 --> 00:00:21,201 a Samy worm and it was exploited by the now famous hacker Samy Kamkar. 7 00:00:21,201 --> 00:00:25,886 Back in 2005, the MySpace social network was thriving among people 8 00:00:25,886 --> 00:00:30,430 with the desire to connect and discover new ways interacting online. 9 00:00:31,510 --> 00:00:34,590 Keep in mind, this was before Facebook was widespread and 10 00:00:34,590 --> 00:00:38,290 only a few years after the Internet really took off. 11 00:00:38,290 --> 00:00:43,025 Samy Kamkar discovered a way to use cross-site scripting, or 12 00:00:43,025 --> 00:00:45,091 XSS, to place the string. 13 00:00:45,091 --> 00:00:49,109 But most of all, Samy is my hero in each user's profile and 14 00:00:49,109 --> 00:00:51,660 send Samy a friend request. 15 00:00:51,660 --> 00:00:57,750 Within 24 hours of the worm's start, over 1 million users had been affected and 16 00:00:57,750 --> 00:01:01,310 Samy had 1 million new MySpace friends. 17 00:01:01,310 --> 00:01:05,450 Essentially, Samy placed a block of code on his own page. 18 00:01:05,450 --> 00:01:07,800 And when anyone else viewed his page, 19 00:01:07,800 --> 00:01:13,230 they would also get that code placed onto their page via cross-site scripting. 20 00:01:13,230 --> 00:01:16,000 Then, when someone viewed that page, 21 00:01:16,000 --> 00:01:19,320 the code would be placed onto their page as well. 22 00:01:19,320 --> 00:01:22,440 Eventually, this spread to tens, and hundreds, 23 00:01:22,440 --> 00:01:26,110 and thousands of users' pages in a matter of hours. 24 00:01:27,200 --> 00:01:30,690 Via a seemingly harmless cross-site scripting attack, 25 00:01:30,690 --> 00:01:33,600 Sammy took MySpace offline. 26 00:01:33,600 --> 00:01:37,590 The worm put an incredible load on the MySpace servers and 27 00:01:37,590 --> 00:01:39,840 millions of users were affected. 28 00:01:39,840 --> 00:01:44,340 Later that year, Samy was sentenced to three years probation and other charges. 29 00:01:44,340 --> 00:01:46,685 But now, he's one of the most famous and 30 00:01:46,685 --> 00:01:49,480 well-respected security researchers on the planet. 31 00:01:50,540 --> 00:01:54,840 Unfortunately, the kinds of attacks and attackers out there, today, 32 00:01:54,840 --> 00:01:59,880 do far more harm than Samy did and they are more advanced than ever before. 33 00:01:59,880 --> 00:02:03,882 They can wreak havoc on your website through hundreds of different and 34 00:02:03,882 --> 00:02:05,630 well-known exploits. 35 00:02:05,630 --> 00:02:09,470 It is up to everyone, the developer, technical manager, and 36 00:02:09,470 --> 00:02:13,010 product owner to secure their software. 37 00:02:13,010 --> 00:02:17,630 Notable examples of web security flaws include a recent Facebook flaw 38 00:02:17,630 --> 00:02:20,770 where any user could post on any other user's profile. 39 00:02:21,920 --> 00:02:26,410 The researcher who discovered this flaw was actually ignored by Facebook. 40 00:02:26,410 --> 00:02:30,620 To prove his point, he decided to post on the wall of Mark Zuckerberg, 41 00:02:30,620 --> 00:02:32,680 the founder and CEO of Facebook. 42 00:02:33,805 --> 00:02:40,075 An even worse attack was the 2015 data breach on the Ashley Madison website. 43 00:02:40,075 --> 00:02:43,515 This site facilitated extra marital affairs. 44 00:02:43,515 --> 00:02:45,945 Millions of users data were made public. 45 00:02:47,162 --> 00:02:50,892 Though the attack on Ashley Madison was not caused by a web security 46 00:02:50,892 --> 00:02:55,502 vulnerability, the passwords stolen were hashed poorly and 47 00:02:55,502 --> 00:02:58,972 could be cracked easily by programs available to anyone. 48 00:03:00,236 --> 00:03:04,776 Finally, an attack on Equifax discovered in July of 2017 49 00:03:04,776 --> 00:03:09,606 was caused by a web security vulnerability that allowed attackers to download 50 00:03:09,606 --> 00:03:13,366 files that they should not have been able to access. 51 00:03:13,366 --> 00:03:18,496 The Equifax attack exposed upwards of half of the US population's 52 00:03:18,496 --> 00:03:23,010 social security numbers, birth dates, credit card numbers and 53 00:03:23,010 --> 00:03:26,900 driver license numbers to criminals who could use the data for 54 00:03:26,900 --> 00:03:29,620 massive financial fraud and identity theft. 55 00:03:30,760 --> 00:03:34,970 As you can see, when you fail to protect your web applications, 56 00:03:34,970 --> 00:03:39,750 not only can you ruin your own job, but you can ruin the lives of hundreds of 57 00:03:39,750 --> 00:03:45,470 millions of users financially, emotionally and psychologically. 58 00:03:45,470 --> 00:03:48,370 Security exploits are no longer as benign and 59 00:03:48,370 --> 00:03:53,220 innocent as acquiring one million online friends in less than 24 hours, 60 00:03:53,220 --> 00:03:56,740 it concerns people's livelihoods and well-beings. 61 00:03:56,740 --> 00:04:00,890 As a technical person, you are in charge of making sure that these things 62 00:04:00,890 --> 00:04:04,210 never happen to the services you build or maintain.