SlideShare a Scribd company logo

RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

IMMUNIO
IMMUNIO

Rails comes with many powerful security protections out of the box, but no code is perfect. This talk will highlight a new approach to web app security, one focusing on a higher level of abstraction than current techniques. We will take a look at current security processes and tools and some common vulnerabilities still found in many Rails apps. Then we will investigate novel ways to protect against these vulnerabilities.

Technology
1 of 60
Download to read offline
Metasecurity: Beyond Patching Vulnerabilities Chase Douglas Immun.io
Anatomy of a security attack Vulnerability Attacker
How to defend against vulnerabilities?
PHP: Over 24 vulnerabilities reported every year! cvedetails.com Rails: Over 7 vulnerabilities reported every year!
How fast can you spin this wheel?
Vulnerabilities sold remain private for an average of 151 days The Known Unknowns - Stefan Frei - NSS Labs https://www.nsslabs.com/reports/known-unknowns-0
How many vulnerabilities are lurking, unfound?
How to defend against attackers?
Web Application Firewalls
Web Application Firewalls
Field Trip! Castle Gaillard
False Positives
Anatomy of a security attack Vulnerability Attacker Exploitation
Metasecurity: Blocking Exploitations
Exploitations • SQL Injection • Cross Site Scripting (XSS)
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
SQL Injection
Cross Site Scripting (XSS) But I didn’t click on anything!
+? XSS
XSS In someone else’s browser! +
String.html_safe
String.html_safe Escaped!
String.html_safe Not Escaped!
Rails Rendering Start with an empty SafeBuffer Buffer:
Rails Rendering Append template after calling html_safe on it Buffer: <head> <title>
Rails Rendering Append expression result Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt; I tried to inject <script>alert(1)</script> here!
Rails Rendering Append template after calling html_safe on it Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title>
Rails Rendering Append expression result Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title> <script src=“/application.js”></script> javascript_include_tag returned a SafeBuffer
Rails Rendering Append template after calling html_safe on it Buffer: <head> <title>&lt;script&gt;alert(1)&lt;/script&gt;</title> <script src=“/application.js”></script> </head>
XSS
XSS params => {id: 5}
XSS params => {id: “<script>alert(1)</script>”} <div class=“alert”> User id &lt;script&gt;alert(1)&lt;/script&gt; does not exist </div> Rendered HTML:
XSS
XSS
XSS
XSS params => {id: “<script>alert(1)</script>”} <div class=“alert”> User id <script>alert(1)</script> does not exist </div> Rendered HTML: +
XSS
How to Fix?
How to Fix XSS
How to Fix SQL Injection • Check that args for all `Calculate` methods are actual table names • Always use hashes or arrays when using `delete_all`/`destroy_all`/ `where` • Always use hashes when using `find_by`/`find_by!` • Always convert user input to strings when passed to `exists?` • Never pass user input to `group`/`joins`/`order`/`reorder`/`pluck`/ `select`/`having` • Don’t use `find` unless you are a security guru • etc. etc.
“Once you’re done with that, can you audit all our dependencies too?”
“Can you teach everyone else about security?”
“All changes will be reviewed by the security team” “It won’t be a bottleneck, we’ve got two security engineers”
Metasecurity Defense
Metasecurity for XSS Should there be script tags here?
Metasecurity for XSS • Wrap `html_safe` method • If called from a known good location, like a Rails helper, let the string through unimpeded • Otherwise, escape any <script> tags first
Metasecurity for SQL Injection Structure Eoknkno1 Structure Eoknkno1&1o1 Structure Eoknkno1;Tkn
How do we determine expected structures?
Every Query is Executed at the Top of a Call Stack
Match Call Stack to a Learned Structure Eoknk
Verify Structure Eoknk Ok! Eoknkno1&1o1 Bad! Block and respond with 403 Expected Structure: Eoknk
Metasecurity Vulnerability Attacker Exploitation
Immunio is Metasecurity Automatic protection against: Cross Site Scripting SQL Injection Remote Command Execution ShellShock Open Redirects Unauthorized File I/O CSRF Tampering Brute Force Authentication Attempts HTTP Header Split HTTP Method Tampering Automated Scanners And more…

Recommended

GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte SecureMichele Butcher-Jones
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The WebBishan Singh
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfArthur Kasirye
 

Recommended

GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte SecureMichele Butcher-Jones
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The WebBishan Singh
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfArthur Kasirye
 
Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideSecuRing
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Michele Butcher
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!Michele Butcher-Jones
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON
 

More Related Content

What's hot

Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideSecuRing
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Michele Butcher
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!Michele Butcher-Jones
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 

What's hot (20)

Approaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guideApproaching the unknown - Windows Phone application security assessment guide
Approaching the unknown - Windows Phone application security assessment guide
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshop
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!
 
ESAPI
ESAPIESAPI
ESAPI
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!Passwords, Attacks, and Security oh my!
Passwords, Attacks, and Security oh my!
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities

Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Laura Bell
 
Slides
SlidesSlides
Slidesvti
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 

Similar to RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities (20)

Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программированияSECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
SECON'2017, Евстифеев Петр, Антипаттерны безопасного программирования
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Slides
SlidesSlides
Slides
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities