It’s Day 2 at the eBay Developers Conference.
Security is always a trade off between convenience and safety. Over the years, eBay has continually worked at balancing the two issues, and we’ve learned a lot. In “Securing the eBay Marketplace,” our Chief Security Architect, Liam Lynch, is sharing key points.
So far, he’s covered
- SQL injection attacks
- Filtering input
- Cross site scripting
- Phishing attacks
- Hashing versus encryption
- Federated identity and authentication
- And a few more that I’m missing
Right now, he’s going over the OWASP Top Ten.
One of the interesting points that Liam’s making is that security isn’t a one-time thing. It’s an evolving notion. Also, security isn’t an absolute.
For example, eBay allows sellers to embed HTML inside an item listing. This presents a security risk, as people can try and use this to do malicious things. We could easily eliminate this issue by eliminating HTML, but that doesn’t make for very interesting item descriptions. Therefore, eBay’s set up a series of input filters to only allow “good” HTML and strip out the “bad” HTML. This isn’t easy, as the concept of “good” and “bad” is always changing, as we strive to strike the proper balance between the two.
Popularity: 1% [?]