On the third day of the RSA Conference, Chief Technology Evangelist at HOB, Brandy Mauff, delivered a Sponsor Special Topics Session entitled “Secure Apache Web Server with HTML5 and HTTP/2” to a crowd of interested RSA Conference attendees.
Brandy began with the following quote from Eugene Spafford, leading computer security expert at Purdue University: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
This quote set the scene for Brandy’s presentation, and she asserted the difficulty of finding a system that is equal parts secure and productive. The two seem to be inversely related and Brandy would discuss solutions for optimizing both in tandem in her presentation.
In 2015, $75 billion USD will be spent on information security. This is a 10 billion jump from 2013. Brandy emphasized why security is a top of mind issue, especially in sectors that aren’t typical targets for cyber attacks unless those attacks are a form of cyber warfare, such as nuclear power plants. As high tech takes over, critical infrastructure relies on networks for operation and an attack on, say, the network powering a nuclear power plant, could be deadly.
After explaining the need for bolstered security measures, Brandy acquainted the audience with the Apache Web Server, its prevalence and key features. As mentioned in previous blogs, it’s the most widely-used Web Server and one of the founding pieces of the World Wide Web. Some of the key features that make it attractive are the fact that it’s open source, has a large public library of add-ons and is highly adaptable. But again, returning to Brandy’s opening remark: its adaptability can leave the system vulnerable to threats and weaknesses such as information leakage, lack of authorization and unnecessary modules.
Brandy then discussed HTML5, which she explained has been more widely used than Flash Player for supporting the latest multimedia types and structuring and presenting online content since 2014. Some of the features include audio and video support and the ability to edit content, indicate content fields with placeholder text and store information per session or in general on the web page.
The ability to store data on the web has its pros and cons, explained Brandy. Web storage is practical and results in increased performance for non-sensitive data. But, for sensitive data, security becomes an issue.
In order to maximize security while using HTML 5, one must validate URLs and discard requests, clear UA cache, only allow trusted sites and state the origin and assign data value properly for web messaging.
Moving on to HTTP/2, Brandy described it as the foundation of data communication for the World Wide Web and explained how it will become a standard in 2015. The key improvements to HTTP/2 include server push, header compression, multiplexing and TLS.
HTTP/2 has been susceptible to certain bugs such as POODLE, CRIME and Heartbleed. In order to protect systems from POODLE using HTTP/2, it is essential to disable SSL 2.0 and SSL 3.0. To protect from CRIME, it is essential to disable TLS 1.0 and to protect from Heartbleed it is essential to upgrade your system’s OpenSSL and disable TLS Heartbeat.
The combined use of HTML 5 and HTTP/2 in an Apache network is flexible, secure and practical, and Brandy drove home the importance of testing a system with threat assessments to ensure security, while also investing in the proper security protocol.
We are proud to have bright minds like Brandy’s on the HOB team adding to the cybersecurity conversation at RSA this year. For more information visit HOBsoft.com.
You must be registered in order to write comments. To register as a new user click here.
If you're already registered, please leave a comment here