Rencontre INTECHLa sécurité des applications web:
|
||
Le 4 décembre 2009, au centre Inria de Rennes, en partenariat avec le pôle Images & Réseaux et la technopole Rennes Atalante, une rencontre thématique s'est déroulée autour des questions de sécurité lors de la mise en oeuvre des applications web. Un échange de points de vue (scientifique, technologique et commercial) s'est donné pour but de mieux comprendre ces différentes problématiques: - Quels sont les risques? - Comment s'en prémunir? - Où en sont les techniques? - De quelle nature sont les initiatives internationales? Les huit interventions ont été enregistrées par le Pôle audiovisuel (INRIA-Rennes). |
||
Les vidéosFrançois Bodin ; Philippe Ensarguet; Frédéric Cuppens ; Thomas Jensen & Frédéric Besson ; Christophe Levointurier ; Marianne Bussière ; Cédric Fournet ; Marc Schönefeld |
||
Get the Flash Player to see this player.
|
||
François Bodin - "Introduction" (directeur technique de CAPS Entreprise - Rennes) |
||
Get the Flash Player to see this player.
|
||
Philippe Ensarguet - "Sécurité applicative: éléments de sensibilisation" ( Orange Business Services, IT Architecture Skills Center) - [60:26] |
||
Abstract:
|
||
Get the Flash Player to see this player.
|
||
Frédéric Cuppens - "Dynamic identity and access management with Protekto" (Télécom Bretagne – Rennes) - [58:42] |
||
We shall present Protekto, a new Identity and Access Management (IAM) platform that implements functionalities for deploying dynamic Authentication and Authorization policies. Protekto combines mechanisms for Federation of identities (based on the SAML 2 and Open Id standards) and authorizations (based on the XACML standard) management. Protekto also integrates an administration cockpit to manage fined grained and contextual authorization policies based on the Organization Based Access Control (OrBAC) model. Using this cockpit, it is then possible to deploy the policy, including means to parameterize authentication mechanisms depending on the accessed services.
|
||
Get the Flash Player to see this player.
|
||
Christophe Levointurier - "Serenitec: un atelier de refactoring java automatisé" (projet ALF - Inria)
Le projet Serenitec (Security analysis and Refactoring ENvironment for Internet TEChnology, propose un atelier, pour le langage Java, d'aide à l'analyse et à la mise en oeuvre de la sécurité et de la qualité des codes des applications web. Cette présentation donne un aperçu des techniques étudiées dans le cadre de ce projet. En particulier nous détaillons le support pour l'implantation de techniques de refactoring des programmes. Le projet Serenitec est soutenu par la Région Bretagne dans le cadre du pôle Images et Réseaux.
|
||
Get the Flash Player to see this player.
|
||
Marianne Bussière (Chargée du développement commercial au sein du projet Navis) - "Présentation du projet Navis" [15:44]
|
||
Get the Flash Player to see this player.
|
||
Cédric Fournet - (Microsoft Research, Cambridge - UK) "Modular verification of security protocol code" [49:38] (Joint work with Karthik Bhargavan and Andy Gordon.) We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We implement this method for protocols coded in F# and verified using F7, an SMT-based typechecker for refinement types, that is, types carrying formulas to record invariants. As illustrated by a series of programming examples, our method flexibly deals with a wide range of cryptographic constructions and protocols. We evaluate our approach on larger case studies, including a verified implementation of the CardSpace identity-management protocol built on top of Web Services security standards. Our results indicate that compositional verification by typing scales better than domain-specific security analyses. Les transparents (pdf) |
||
Get the Flash Player to see this player.
|
||
Marc Schönefeld (Member of Red Hat Security Team - Germany) - "Java vulnerabilities explained"
[52:11] In the talk we will present how vulnerabiltities in the runtime environment affect the attack surface of Java Applications. We identify weak spots and look at it from a weakness evaluation perspective (according to the CWE). From that basis we move on to particular code anti-patterns and how they relate to vulnerabilities (in a CVE context). The talk focusses on Java software and details security flaws found in OpenJDK, Webservers, OpenOffice and other enterprise products. After the vulnerability perspective has been presented we present an approach to harden java applications using self-learning monitoring techniques. |
||
© 2009 Pôle audiovisuel de l'Irisa |