Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

date:Sep 23, 2010

The majority of developers attending the  JavaOne session, Ten Security Vulnerabilities for Software as a Service (SaaS), were unfamiliar with security threats, such as cross-site forgery. Also, some scoffed at the notion that password security is still a major issue. That was a surprise to presenters and software security experts Eric Dalci and Ray Lai.  In this video, they explain the audience's reactions and why password security still causes major hassles in SaaS. Dalci is senior security consultant for Cigital, a software security and and quality consulting firm in Dulles, Va. Lai is software architect for Mountain View, Calif., ISV Intuit.


Read the full transcript from this video below:  

Eric Dalci and Ray Lai on SaaS security

Eric Dalci: Hello. My name is Eric Dalci. I work for Sigital.

Ray Lai: This is Ray Li from Intuit.

Interviewer: Hello. One thing that surprised me during your session was how few people were familiar with some of the threats, like CSRF. Was that surprising to you?

Eric Dalci: This attack is a bit new -- I would say in the last two or three years. You may remember from before back in the 90s, it took a while to sink in. Now it is this new web attack that hackers find out then it goes to the public. We still have to do some education work to actually get protection from this new type of attack. I think it is legitimate to see how many people will know about this.

Interviewer: Some people also did not seem like they believed you about password threats, too.

Eric Dalci: Do you want to take this?

Ray Lai: Just because people do not see down the road, the password being hot coded, but once they know how to get a hold of the backend, or they can be used to do data mining of the system information, then they probably would realize the problem.

Eric Dalci: Also internal threat: If you have a hard-coded password, lots of people have access to the root source repository. Do you really want to have hundreds of people with access to that file with that password hard-coded there? That is another risk.

Interviewer: Thank you for talking with me.

Eric Dalci: Thank you.

Ray Lai: Thank you.

More on Java testing frameworks