Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

date:Sep 23, 2010

The majority of developers attending the  JavaOne session, Ten Security Vulnerabilities for Software as a Service (SaaS), were unfamiliar with security threats, such as cross-site forgery. Also, some scoffed at the notion that password security is still a major issue. That was a surprise to presenters and software security experts Eric Dalci and Ray Lai.  In this video, they explain the audience's reactions and why password security still causes major hassles in SaaS. Dalci is senior security consultant for Cigital, a software security and and quality consulting firm in Dulles, Va. Lai is software architect for Mountain View, Calif., ISV Intuit.

Read the full transcript from this video below:  

Eric Dalci and Ray Lai on SaaS security

Eric Dalci: Hello. My name is Eric Dalci. I work for Sigital.

Ray Lai: This is Ray Li from Intuit.

Interviewer: Hello. One thing that surprised me during your session was how few people were familiar with some of the threats, like CSRF. Was that surprising to you?

Eric Dalci: This attack is a bit new -- I would say in the last two or three years. You may remember from before back in the 90s, it took a while to sink in. Now it is this new web attack that hackers find out then it goes to the public. We still have to do some education work to actually get protection from this new type of attack. I think it is legitimate to see how many people will know about this.

Interviewer: Some people also did not seem like they believed you about password threats, too.

Eric Dalci: Do you want to take this?

Ray Lai: Just because people do not see down the road, the password being hot coded, but once they know how to get a hold of the backend, or they can be used to do data mining of the system information, then they probably would realize the problem.

Eric Dalci: Also internal threat: If you have a hard-coded password, lots of people have access to the root source repository. Do you really want to have hundreds of people with access to that file with that password hard-coded there? That is another risk.

Interviewer: Thank you for talking with me.

Eric Dalci: Thank you.

Ray Lai: Thank you.

More on Java testing frameworks

  • canderson

    Troubleshooting the most common compile-time errors in Java code

    VIDEO - In this second tutorial in a series on Java programming, we look at how to troubleshoot and fix the most commonly encountered compiler errors.

    ( Aug 24, 2012 )

  • canderson

    How BI + ALM = ALI and real-time application traceability

    VIDEO - Pairing business intelligence with application lifecycle management (ALM) promises to deliver real-time application requirements traceability and simplify change management, said Kelly Emo, HP director of applications product marketing, in a JavaOne 2011 interview.

    ( Oct 12, 2011 )

  • canderson

    Ashesh Badani on cloud computing pain points

    VIDEO - Cloud computing's pain points for developers include challenges in capacity planning, "policying" and increasing needs for flexibility in programming,according to Ashesh Badani, senior director of JBOSS Enterprise Middleware for Red Hat. In this video, Badani describes the challenges developers face in creating apps for and maintaining apps in the cloud create.

    ( Sep 23, 2010 )

  • AngularJS: A JavaScript framework built with software testing in mind

    Feature - Modern development methodologies rely heavily on testing and testing frameworks. Of course, testing frameworks are quite mature in the Java and .NET world, but they have been nascent in terms of JavaScript. Here's what's new in the world of JavaScript testing.

    ( Jan 30, 2015 )

  • From ElasticSearch to Splunk: Understanding your log aggregation options

    Feature - The key to successfully being able to anticipate and diagnose software problems is being able to make sense of your application logs. In part two of this two part series, we take a look at some of the most popular log aggregation tools on the market today.

    ( Oct 20, 2014 )

  • An introduction to template building with Facelets, CSS, HTML and JSF 2.2

    Tutorial - Facelets is a great technology for creating templates for websites and then adding dynamic functionality. In this tutorial, we will introduce the idea of creating a template page with CSS, HTML, JavaScript and JavaServer Faces 2.2 (JSF).

    ( Jul 19, 2014 )

  • Freezer: Putting object relational mapping (ORM) tools to the test

    Feature - Freezer is a code generator that constructs the persistence layer of a Java application: DAOs, DTOs, database tables and database documentation. This article compares the use of the DAOs generated by Freezer, with the use of an ORM tool, like for example Hibernate.

    ( Jul 03, 2014 )

  • When did Gradle get so hot? A look at what is trending on the Java tools landscape

    Feature - Who knew that so many Java developers were looking at adopting Gradle as their build tool. Goodbye Maven. Goodbye ANT. It looks like Gradle is the Groovy new Java tool, or at least, that's what the latest trends survey would suggest.

    ( Jun 05, 2014 )