Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

Eric Dalci and Ray Lai on SaaS security

date:Sep 23, 2010

The majority of developers attending the  JavaOne session, Ten Security Vulnerabilities for Software as a Service (SaaS), were unfamiliar with security threats, such as cross-site forgery. Also, some scoffed at the notion that password security is still a major issue. That was a surprise to presenters and software security experts Eric Dalci and Ray Lai.  In this video, they explain the audience's reactions and why password security still causes major hassles in SaaS. Dalci is senior security consultant for Cigital, a software security and and quality consulting firm in Dulles, Va. Lai is software architect for Mountain View, Calif., ISV Intuit.

Read the full transcript from this video below:  

Eric Dalci and Ray Lai on SaaS security

Eric Dalci: Hello. My name is Eric Dalci. I work for Sigital.

Ray Lai: This is Ray Li from Intuit.

Interviewer: Hello. One thing that surprised me during your session was how few people were familiar with some of the threats, like CSRF. Was that surprising to you?

Eric Dalci: This attack is a bit new -- I would say in the last two or three years. You may remember from before back in the 90s, it took a while to sink in. Now it is this new web attack that hackers find out then it goes to the public. We still have to do some education work to actually get protection from this new type of attack. I think it is legitimate to see how many people will know about this.

Interviewer: Some people also did not seem like they believed you about password threats, too.

Eric Dalci: Do you want to take this?

Ray Lai: Just because people do not see down the road, the password being hot coded, but once they know how to get a hold of the backend, or they can be used to do data mining of the system information, then they probably would realize the problem.

Eric Dalci: Also internal threat: If you have a hard-coded password, lots of people have access to the root source repository. Do you really want to have hundreds of people with access to that file with that password hard-coded there? That is another risk.

Interviewer: Thank you for talking with me.

Eric Dalci: Thank you.

Ray Lai: Thank you.

More on Java testing frameworks

  • canderson

    Troubleshooting the most common compile-time errors in Java code

    VIDEO - In this second tutorial in a series on Java programming, we look at how to troubleshoot and fix the most commonly encountered compiler errors.

    ( Aug 24, 2012 )

  • canderson

    How BI + ALM = ALI and real-time application traceability

    VIDEO - Pairing business intelligence with application lifecycle management (ALM) promises to deliver real-time application requirements traceability and simplify change management, said Kelly Emo, HP director of applications product marketing, in a JavaOne 2011 interview.

    ( Oct 12, 2011 )

  • canderson

    Ashesh Badani on cloud computing pain points

    VIDEO - Cloud computing's pain points for developers include challenges in capacity planning, "policying" and increasing needs for flexibility in programming,according to Ashesh Badani, senior director of JBOSS Enterprise Middleware for Red Hat. In this video, Badani describes the challenges developers face in creating apps for and maintaining apps in the cloud create.

    ( Sep 23, 2010 )

  • Automated acceptance testing pitfalls to avoid

    Tip - How can organizations get the most out of their software testing with the least amount of effort? Here are some best practices on how to sidestep these common automated acceptance testing traps.

    ( Mar 18, 2016 )

  • How to build an application integration framework for flexibility

    Feature - Learn how MOBI Wireless created a back end infrastructure that makes it easy to implement different business workflows across service providers.

    ( Dec 02, 2015 )

  • Six Steps to Accelerating Mobile App Testing

    Feature - With software testing being one of the most time consuming steps in the application lifecycle management (ALM) process, everyone is looking at ways to speed up testing. In this article, we look at six ways to accelerate mobile application testing.

    ( Jun 17, 2015 )

  • How to invoke a JSF managed bean asynchronously through JavaScript

    Tutorial - Sometimes great frameworks like JSF, Wicket or Spring MVC make simple tasks surprisingly difficult to do. With JavaServer Faces, the simple task of invoking a method on a managed bean is actually a bit of a chore. In this tutorial, we tackle that chore together.

    ( May 04, 2015 )

  • Cloud computing and AWS form perfect test beds for the risk averse

    Feature - Risk aversion is a cornerstone of the enterprise computing community. Do no harm is philosophy that goes beyond medicine's Hippocratic oath. But the risk averse can now safely try new technologies by using cloud computing options and AWS.

    ( Mar 25, 2015 )