5 marzo 2011 – www.codemotion.it                                                                                   There a...
5 marzo 2011 – www.codemotion.it                                                   Running Normal                         ...
5 marzo 2011 – www.codemotion.it                                                                     The Onion Application...
5 marzo 2011 – www.codemotion.it                                                                         To Code or not to...
5 marzo 2011 – www.codemotion.it                                                                                          ...
5 marzo 2011 – www.codemotion.it                                                                                       Fro...
5 marzo 2011 – www.codemotion.it             Except where otherwise noted, this work is licensed underPage  ‹N›   http://...
5 marzo 2011 – www.codemotion.it                                                                                          ...
5 marzo 2011 – www.codemotion.it                                                                         The way to Applic...
5 marzo 2011 – www.codemotion.it                                                          Current Application Security mar...
5 marzo 2011 – www.codemotion.it                                                                         -Enforcement Infr...
5 marzo 2011 – www.codemotion.it             Except where otherwise noted, this work is licensed underPage  ‹N›   http://...
5 marzo 2011 – www.codemotion.it                                                                         Attacco a Poste I...
5 marzo 2011 – www.codemotion.it                                                                         Cosa è andato sto...
5 marzo 2011 – www.codemotion.it                                                                                 SQL Injec...
5 marzo 2011 – www.codemotion.it                                                                            redirect del s...
5 marzo 2011 – www.codemotion.it                                                                            Application Fi...
5 marzo 2011 – www.codemotion.it             Except where otherwise noted, this work is licensed underPage  ‹N›   http://...
5 marzo 2011 – www.codemotion.it                                                                         Ricariche e Conta...
5 marzo 2011 – www.codemotion.it                                                                         Cosa è andato sto...
5 marzo 2011 – www.codemotion.it             Except where otherwise noted, this work is licensed underPage  ‹N›   http://...
5 marzo 2011 – www.codemotion.it                                                                           Il caso Wikilea...
5 marzo 2011 – www.codemotion.it                                                                         Cosa è andato sto...
5 marzo 2011 – www.codemotion.it                                                                                          ...
5 marzo 2011 – www.codemotion.it             Except where otherwise noted, this work is licensed underPage  ‹N›   http://...
5 marzo 2011 – www.codemotion.it                                                                         Into the Wireless...
5 marzo 2011 – www.codemotion.it                                                                                       Cos...
5 marzo 2011 – www.codemotion.it                                                                               Database Se...
5 marzo 2011 – www.codemotion.it                                                                         La n             ...
5 marzo 2011 – www.codemotion.it                  Questions?                                                          ¿Pre...
Upcoming SlideShare
Loading in...5
×

Application Security for the masses

646

Published on

La presentazione di Andrea Pompili
in occasione del Codemotion, Roma 5 marzo 2011 http://www.codemotion.it

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
646
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Application Security for the masses"

  1. 1. 5 marzo 2011 – www.codemotion.it There are only 10 types of people in the world: Those who understand binary, and those who dont (Who + What) && (Where + When) == Why APPLICATION SECURITY FOR THE MASSES Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  2. 2. 5 marzo 2011 – www.codemotion.it Running Normal PROGRAM INTEGER DATA CHAR DATA POINTER INSTRUCTIONS BUFFER BUFFER Which program line runs next Program jumps to next address Running Hacked Program jumps to overwritten address PROGRAM INTEGER DATA CHAR DATA CORRUPTED INSTRUCTIONS BUFFER INJECTED CODE Pointer execute injected code Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  3. 3. 5 marzo 2011 – www.codemotion.it The Onion Application Framework DATI Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  4. 4. 5 marzo 2011 – www.codemotion.it To Code or not to Code Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  5. 5. 5 marzo 2011 – www.codemotion.it Utenti=UtOnti In questo momento voi ha ricevuto il "virus albanese" Siccome noi di Albania non ha esperienza di software e programmazione, questo virus albanese funziona su principio di fiducia e cooperazione. Allora noi prega voi adesso cancella tutti i file di vostro ard disc e spedisce questo virus a tutti amici di vostra rubrica. Grazie per fiducia e cooperazione. Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  6. 6. 5 marzo 2011 – www.codemotion.it Frodi informatiche in numeri Frodi creditizie sul web durante Costo di un’identità il 2010 compromessa Danno complessivo Danni causati dalle derivante dalle truffe false identità Denunce al Servizio della Polizia Postale nel 2010 Fonte: CRIS per il Sole 24 Ore del novembre 2010 Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  7. 7. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  8. 8. 5 marzo 2011 – www.codemotion.it Il progetto OWASP OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New) A2 – Injection Flaws A1 - Injection A1 – Cross Site Scripting (XSS) A2 – Cross-Site Scripting (XSS) A7 – Broken Authentication and Session Management A3 - Broken Authentication and Session Management A4 – Insecure Direct Object Reference A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A5 – Cross Site Request Forgery (CSRF) <was T10 2004 A10 – Insecure Configuration Management> A6 – Security Misconfiguration (NEW) A8 – Insecure Cryptographic Storage A7 – Insecure Cryptographic Storage A10 – Failure to Restrict URL Access A8 – Failure to Restrict URL Access A9 – Insecure Communications A9 – Insufficient Transport Layer Protection <not in T10 2007> A10 – Unvalidated Redirects and Forwards (NEW) A3 – Malicious File Execution <dropped from T10 2010> A6 – Information Leakage and Improper Error Handling <dropped from T10 2010> Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  9. 9. 5 marzo 2011 – www.codemotion.it The way to Application Security Files Databases Applications Development ICT Operations IT Security Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  10. 10. 5 marzo 2011 – www.codemotion.it Current Application Security market Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  11. 11. 5 marzo 2011 – www.codemotion.it -Enforcement Infrastructures FAM DAM DLP Classificazione Files Databases IAM Autenticazione Applications Autorizzazione Usage Policy WAF Interne Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  12. 12. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  13. 13. 5 marzo 2011 – www.codemotion.it Attacco a Poste Italiane Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  14. 14. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? http://unu1234567.baywords.com/2009/09/05/poste-italiane-hacked-sql-injection/ Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  15. 15. 5 marzo 2011 – www.codemotion.it SQL Injection OWASP A1 – InjectionLe Injection Flaws, come SQL Injection, OS Injection, e LDAPinjection, si verificano quando dati non validati vengono inviaticome parte di un comando o di una query al loro interprete. Il datoinfetto può quindi ingannare tale interprete, eseguendo comandinon previsti o accedendo a dati per i quali non si hal’autorizzazione. Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  16. 16. 5 marzo 2011 – www.codemotion.it redirect del sito Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  17. 17. 5 marzo 2011 – www.codemotion.it Application Firewall POST http://www.sito.it/vulnpage.php HTTP/1.1 username: test password: x; DROP TABLE users; -- Applications Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  18. 18. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  19. 19. 5 marzo 2011 – www.codemotion.it Ricariche e Contatori elettrici Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  20. 20. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? ESME 29 00229 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 30 00237 51 1/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) UCP 31 00237 51 2/2 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 32 00237 51 1/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 33 00237 51 2/3 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 34 00237 51 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 35 00237 51 1/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 36 00237 51 2/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) 37 00237 51 3/4 . Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong address format for recipient(LH) Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  21. 21. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  22. 22. 5 marzo 2011 – www.codemotion.it Il caso Wikileaks Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  23. 23. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  24. 24. 5 marzo 2011 – www.codemotion.it File Security & Monitoring1 • Crawl File Systems 2 Build Data/Permission Map 3 Enforce Policies • Find name, type, owner, permissions… Who Group What Class Who What Action • Apply Classification Policies • Owner, Org, Location Joe, Fin-CC Read Financials Non Update Block IT cc.xls Finance Financials • Automatic content classification Jim, HR-Exec Read PII Any Read PII Audit HR PII.doc Joe, IT NAS X Jim, HR FAM File Servers OK Audit Log Who What When Action Joe Read CC.xls 1/1/2010 12:50 Block Jim Read PII.doc 1/1/2010 Audit 12:51 Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  25. 25. 5 marzo 2011 – www.codemotion.it Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  26. 26. 5 marzo 2011 – www.codemotion.it Into the Wireless World Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  27. 27. 5 marzo 2011 – www.codemotion.it Cosa è andato storto? Application DROP DATABASE cms; CREATE TABLE contents (…); CREATE TABLE news (…); CREATE INDEX idx1; ... ../main/init/initdb.jsp Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  28. 28. 5 marzo 2011 – www.codemotion.it Database Security & Monitoring Chi, Dove, Come e Quando Chi Come Dove Cosa Quando DAS URM DAM Who Is? Sensitive? What Rights? When Used? Is it dormant? JOE Dept? CCTAB Credit JOE CCTAB JOE CCTAB Card update Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  29. 29. 5 marzo 2011 – www.codemotion.it La n Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
  30. 30. 5 marzo 2011 – www.codemotion.it Questions? ¿Preguntas? English Spanish вопросы? Arabic Russian Domande? Ερωτήσεις? Italian Greek Sindarin tupoQghachmey Klingon Japanese Except where otherwise noted, this work is licensed underPage  ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.

×