CTO Talk: HTML5, a clear and present danger
0 likes795 views
This document summarizes a presentation on the dangers of HTML5. It discusses how HTML5 introduces new capabilities like graphics, audio, video, drag and drop and geolocation but also brings new vulnerabilities. It recommends that enterprises assess the risks of HTML5 and apply appropriate security measures to sensitive applications. The presentation covers HTML5's new capabilities and input validation features, as well as new tricks that could empower common threats and fulfill hackers' dreams. It promotes the company's security products and services to help mitigate HTML5 risks.
CTO Talk: HTML5, a clear and present danger
- 1. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 16/7/2013 Deny All 息 2013 1 HTML5: Clear & Present Danger CTO Talk May 29, 2013 This event will start at 9:30am CEST, thanks for your patience
- 2. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 26/7/2013 Deny All 息 2013 2 Hello! Renaud Bidou Chief Technology Officer St辿phane de Saint Albin VP Sales & Marketing
- 3. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 36/7/2013 Deny All 息 2013 3 Our goal: share our views on the dangers associated with HTML5 in 60 minutes How it works Youre muted but please ask any questions using the chat tool Well take a few minutes at the end to answer them Logistics
- 4. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 46/7/2013 Deny All 息 2013 4 Clear and present danger Not fully standardized yet Supported by all browsers User experience enhancements New vulnerabilities Disruptive for existing security tools Gartners recommendation Enterprises must assess the risks of HTML5 and use appropriate security measures to mitigate risks for sensitive applications In Prepare to Deal with HTML Security Risks, 4 Sept 2012, John Girard, John Pescatore HTML5
- 5. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 56/7/2013 Deny All 息 2013 5 Menu 1. HTML5 new capabilities 2. HTML5 tricks 3. Empowering common threats 4. Hackersdreams come true
- 6. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 66/7/2013 Deny All 息 2013 6Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 6 Whats new with HTML5
- 7. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 76/7/2013 Deny All 息 2013 7Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 7 Poll #1
- 8. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 86/7/2013 Deny All 息 2013 8 Project led by W3C Latest draft: HTML 5.1 May 2, 2013 Previous : December 17, 2012 Previously : 13 drafts starting from January 22, 2008 Why HTML5 ? Make HTML content natively dynamic Support offline mode Increase security control and tuning Improve internals for performance, task parallelization etc. HTML5 short history
- 9. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 96/7/2013 Deny All 息 2013 9 On-the-fly graphics with the <canvas> tag Native MP3, Ogg and Wav audio format support with the <audio> tag Native MP4, WebM and Ogg video format support with the <video> tag Drag & Drop ! with draggable attribute and ondrop event handler Embedded geolocation with the new getCurrentPosition() method New HTML content
- 10. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 106/7/2013 Deny All 息 2013 10 New input types through <input type> attribute Email : type="email" URL: type="url" Numbers: type="number" type="range" Date: type="date" type="month" type="week" Embedded format validator Based on type attribute value Can be enforced through the pattern attribute Can be disabled dont try to understand Input Validation <form novalidate>
- 11. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 116/7/2013 Deny All 息 2013 11 New forms inputs <input type="email"> <input type="url"> <input pattern="d{4}" placeholder="4 digits PIN"> <input type="number" min="0" max="10" step="2" value="6">
- 12. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 126/7/2013 Deny All 息 2013 12 Web Workers enable JavaScript background processing Web Storage improves local storage to extend the cookie concept and natively support session-based data handling WebApp Cache to enable offline mode of Web/Cloud based applications Server Sent Events (SSE) enables Server to Client communication through the established connection New HTML internals
- 13. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 136/7/2013 Deny All 息 2013 13Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 13 HTML5 new security tricks
- 14. To view full slides or to listen to the webinar recording, please visit www.denyall.com/recordings_en.html Link is available in the description below.
- 15. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 156/7/2013 Deny All 息 2013 15 Call to Action 1. Download the Forrester report www.denyall.com/forrester-en/ 2. Evaluate Protect 4.1 FP1 Now available in customers download area Not a customer yet? Contact us today 3. Evaluate Detect 5.1 https://edge.denyall.com ftp://ftp-detect.denyall.com 4. Lets talk about your needs sales@denyall.com, +33 1 46 20 96 00
- 16. Securing & Accelerating Your Applications 6/7/2013 Deny All 息 2012 166/7/2013 Deny All 息 2013 16 Thank you! info@denyall.com +33 1 46 20 96 00