Secu­rity and pri­vacy are key require­ments for any web appli­ca­tion today.

Sites have to undergo thor­ough pen­e­tra­tion tests before their “go– live”, our cus­tomers have secu­rity con­sul­tants join in dur­ing the RFP processes while news of major hacks hit the main­stream media regularly.

In my talk at CQCON 2013 I will focus on two major secu­rity top­ics to help you build secure sites and appli­ca­tions on top of Gran­ite and Adobe CQ, now part of Adobe Expe­ri­ence Man­ager (AEM).

The Sling method logi­nAd­min­is­tra­tive() and related func­tion­al­ity have been a source of code-based vul­ner­a­bil­i­ties and sub­tle bugs through­out AEM. This talk will give an analy­sis of the prob­lem and pro­vide strate­gies on how to avoid admin­is­tra­tive ses­sions in your own AEM projects.

Fur­ther we will have a look at cross-site script­ing (XSS) — a noto­ri­ous prob­lem in all web appli­ca­tions, and espe­cially in con­tent man­age­ment sys­tems. What are the risks and chal­lenges in the AEM con­text? How can we detect vul­ner­a­bil­i­ties and, more impor­tantly, how can we pre­vent them?

Hope to catch up with you at CQCON 2013