Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

date:Sep 23, 2010

The majority of developers attending the  JavaOne session, Ten Security Vulnerabilities for Software as a Service (SaaS), were unfamiliar with security threats, such as cross-site forgery. Also, some scoffed at the notion that password security is still a major issue. That was a surprise to presenters and software security experts Eric Dalci and Ray Lai.  In this video, they explain the audience's reactions and why password security still causes major hassles in SaaS. Dalci is senior security consultant for Cigital, a software security and and quality consulting firm in Dulles, Va. Lai is software architect for Mountain View, Calif., ISV Intuit.

Read the full transcript from this video below:  

Eric Dalci and Ray Lai on SaaS security

Eric Dalci: Hello. My name is Eric Dalci. I work for Sigital.

Ray Lai: This is Ray Li from Intuit.

Interviewer: Hello. One thing that surprised me during your session was how few people were familiar with some of the threats, like CSRF. Was that surprising to you?

Eric Dalci: This attack is a bit new -- I would say in the last two or three years. You may remember from before back in the 90s, it took a while to sink in. Now it is this new web attack that hackers find out then it goes to the public. We still have to do some education work to actually get protection from this new type of attack. I think it is legitimate to see how many people will know about this.

Interviewer: Some people also did not seem like they believed you about password threats, too.

Eric Dalci: Do you want to take this?

Ray Lai: Just because people do not see down the road, the password being hot coded, but once they know how to get a hold of the backend, or they can be used to do data mining of the system information, then they probably would realize the problem.

Eric Dalci: Also internal threat: If you have a hard-coded password, lots of people have access to the root source repository. Do you really want to have hundreds of people with access to that file with that password hard-coded there? That is another risk.

Interviewer: Thank you for talking with me.

Eric Dalci: Thank you.

Ray Lai: Thank you.

More on Java testing frameworks

  • canderson

    Troubleshooting the most common compile-time errors in Java code

    VIDEO - In this second tutorial in a series on Java programming, we look at how to troubleshoot and fix the most commonly encountered compiler errors.

    ( Aug 24, 2012 )

  • canderson

    How BI + ALM = ALI and real-time application traceability

    VIDEO - Pairing business intelligence with application lifecycle management (ALM) promises to deliver real-time application requirements traceability and simplify change management, said Kelly Emo, HP director of applications product marketing, in a JavaOne 2011 interview.

    ( Oct 12, 2011 )

  • canderson

    Ashesh Badani on cloud computing pain points

    VIDEO - Cloud computing's pain points for developers include challenges in capacity planning, "policying" and increasing needs for flexibility in programming,according to Ashesh Badani, senior director of JBOSS Enterprise Middleware for Red Hat. In this video, Badani describes the challenges developers face in creating apps for and maintaining apps in the cloud create.

    ( Sep 23, 2010 )

  • Tomcat performance optimization through consolidated log file handlers

    Tip - By default Tomcat uses several log file handlers, but performance can easily be optimized by configuring the server to use only one.

    ( May 05, 2013 )

  • How hybrid HTML5 simplifies the mobile ALM process

    Feature - Many aspects of the Mobile ALM process can be simplified and improved by using HTML5 and Hybrid code development, as opposed to building purely native mobile application. Here we provide seven tips for integrating HTML5 into your mobile applications.

    ( Mar 18, 2013 )

  • Pitfalls of open source licensing and how to avoid them

    Feature - Not all open-source licenses are created equal, and if an organization doesn't pay enough attention to the fine print, they may be looking at a cease and desist letter. Here we provide some advice for organizations looking to ensure that they are in full compliance with their open source licenses.

    ( Mar 06, 2013 )

  • How NoSQL, MySQL and MongoDB worked together to solve a big-data problem

    Feature - Choosing between schemaless NoSQL databases and strong-schema relational designs isn't an either-or decision, as this case study points out. When dealing with their big data problem, Craigslist decided that their MySQL servers could use a little help from MongoDB, and putting the two technologies together created a better system with greater availability, scalability and performance.

    ( Jan 10, 2013 )

  • Mobile development teams may put corporate data security at risk

    News - Mobile app developers might be more responsible for mobile and corporate data security concerns than any other factor, including lost devices.

    ( Dec 14, 2012 )