Apps security to dominate Black Hat

Black Hat kicks off this week in Las Vegas with a big shift in focus from Internet viruses to application security.

The shift mirrors the change in threats on the security landscape, with malware attacks morphing from generic Internet viruses into targeted attacks aimed at vulnerabilities in proprietary business IT systems.

Security researchers gathered at Caesar's Palace on Monday to undergo training in the latest hacking and malware-authoring techniques, following an initial set of classes held over the weekend.

The conference transitions on Tuesday from its training stage into it briefings mode, as the media, software vendors, and other interested parties -- including law enforcement officials -- join in the action to see noted security experts present their latest discoveries.

The even edgier Defcon "underground" hacker show will kick off at the Las Vegas Riviera on Wednesday, with a fair share of computer-based pranks sure to be mixed in with the event's annual combination of security research and system-cracking tricks.

As threats have evolved and hackers have broadened their focus on finding and exploiting vulnerabilities -- as opposed to focusing almost solely on Microsoft's Windows platform in years past -- the 2007 Black Hat briefings schedule is weighted heavily toward applications security.

At least four scheduled sessions specifically highlight Windows flaws and other Microsoft-based hacks on botnets, and other so-called mass market threats that are designed to take advantage of consumers and other unsuspecting Web users.

Many of the breakout sessions, however, are aimed specifically at detailing attacks that can be carried out on software applications.

One such presentation will be hosted by research experts employed by SPI Dynamics, the applications security testing software maker acquired by Hewlett-Packard in June to help coders using the company's Mercury Interactive development platform to drive flaws out of their work.

Billy Hoffman, lead researcher in SPI's Labs group, and Bryan Sullivan, one of the Atlanta-based company's development managers, will share their latest findings regarding common vulnerabilities found in AJAX-based applications.

Hoffman, who presented on the same topic at Black Hat last year to enthusiastic reviews from his audience, has become a leading voice behind efforts to encourage coders to cover their security bases when writing AJAX applications.

The so-called Web 2.0 programming language, which melds Asynchronous JavaScript and XML to boost the interactivity of Web sites, has become an increasingly popular platform, but many developers working with the language remain unaware of its security issues, Hoffman maintains.

The SPI researchers plan to demonstrate commonly found AJAX application design flaws that they say stem from such substandard coding, including use of client-side XSL transformations, use of erratic server-side APIs, and methods by which data is unintentionally stored in the client-side code of many programs.

Hoffman and Sullivan also plan to show off exploits of these vulnerabilities, including blind SQL and blind XPath injection techniques, detection and exploitation of program race conditions, and techniques for applying static analysis to de-obfuscate client-side JavaScript.