Sans Feb 2010 - When Web 2 0 Attacks v3.3

  • 2,536 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,536
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE When Web 2.0 DO NOT DISTRIBUTE Attacks! DO NOT DISTRIBUTE Technology gone terribly wrong. DO NOT DISTRIBUTE Rafal M. Los HP -- ASC DO NOT DISTRIBUTE rev 4 1 7 February 2010
  • 2. Fire! … Aim! Ready? DO NOT DISTRIBUTE Question 1: Web 2.0 content is being developed DO NOT DISTRIBUTE primarily by the same developers that DO NOT DISTRIBUTE write traditional web code. True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: Everyone understands the idea of “Web 2.0” and there are concrete standards. DO NOT DISTRIBUTE True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 3: Your company has deployed “Web DO NOT DISTRIBUTE 2.0 stuff” already. True or False? 2
  • 3. Answers… DO NOT DISTRIBUTE Question 1: False! Web 2.0 is being developed in DO NOT DISTRIBUTE a large part not by traditional developers,NOT DISTRIBUTE DO but by “marketing or media folks”… DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: False! Ask 2 different people to define “Web 2.0”… listen to their answers. DISTRIBUTE DO NOT DO NOT DISTRIBUTE Question 3: (most likely) True! … and if you DISTRIBUTE DO NOT don‟t know it, it‟s even worse. DO NOT DISTRIBUTE 3
  • 4. The Hinges DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 4
  • 5. Understanding Web 2.0 Motivations DO NOT DISTRIBUTE DO NOT DISTRIBUTE 2 reasons “Web 2.0” happened… DO NOT DISTRIBUTE 1. Increased demand for processor cyclesDO NOT DISTRIBUTE 2. Increased demand for bandwidth DO NOT DISTRIBUTE DO NOT DISTRIBUTE What happened… DO NOT DISTRIBUTE • Logic moved from server  client DO NOT DISTRIBUTE • Invention of asynchronous transaction NOT DISTRIBUTE DO • Browser becomes a “fat client” 5
  • 6. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Understanding the DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 6
  • 7. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 7
  • 8. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE Inputs DO NOT DISTRIBUTE Outputs DO NOT DISTRIBUTE APIs DO NOT DISTRIBUTE Functions (interactions) DO NOT DISTRIBUTE Functions (services) DO NOT DISTRIBUTE … DO NOT DISTRIBUTE 8
  • 9. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Exploiting a bigger DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 9
  • 10. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users love to click stuff … DO NOT DISTRIBUTE Hackers love users who click stuff. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 10
  • 11. Exploiting Weaknesses Users DO NOT DISTRIBUTE Everyone‟s favorite  Click-Jacking DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DISTRIBUTE DO NOT “Click the DO NOT DISTRIBUTE red dots!” DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 11
  • 12. Exploiting Weaknesses Users DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE <a href=“http://evilsite.com/exploit.js> ……. DO NOT DISTRIBUTE Click the DO NOT DISTRIBUTE This is an exploit page, hidden UNDER red dots? the cool new game that everyone is playing! DO NOT DISTRIBUTE DO NOT DISTRIBUTE 12
  • 13. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE The line between code | data DO NOT DISTRIBUTE has become blurred… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 14
  • 14. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE SoMe (Social Media) sites allow active content… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 15
  • 15. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE What is the difference? DO NOT DISTRIBUTE DO NOT DISTRIBUTE code <script type="text/javascript“></script> DO NOT DISTRIBUTE <style type="text/css" title="currentStyle" media="screen"> @import "/001/001.css"; </style> DO NOT DISTRIBUTE DO NOT DISTRIBUTE data DO NOT DISTRIBUTE <![CDATA[CHEVRON 0302550]]></name><address><![CDATA[1298 HOWARD ST]]></address><city><![CDATA[SAN DO NOT DISTRIBUTE FRANCISCO]]></city><stateProvince><![CDATA[CA]]></stateProvince><postalCod e><![CDATA[94103]]></postalCode><country><![CDATA[US]]></country><brand>< DO NOT DISTRIBUTE ![CDATA[CHEVRON]]></brand><phone 16
  • 16. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE DO NOT DISTRIBUTE Very few sites are static DO NOT DISTRIBUTE DO NOT DISTRIBUTE Most site/applications mix code | data at will DISTRIBUTE DO NOT DO NOT DISTRIBUTE  How do developers differentiate? DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Data  static information DO NOT DISTRIBUTE • Code  script or program modifications 17
  • 17. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE Users (victims) will copy/paste without knowing the DO NOT DISTRIBUTE consequences DO NOT DISTRIBUTE Pimp-My-Profile.com DO NOT DISTRIBUTE is littered with ready- to-paste crap. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Don’t you just want to grab the BeSocial DO NOT DISTRIBUTE toolbar? 18
  • 18. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE is the arch-enemyDO NOT DISTRIBUTE DO NOT DISTRIBUTE of security DO NOT DISTRIBUTE DO NOT DISTRIBUTE 19
  • 19. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE Functionality gone totally wrong… DO NOT DISTRIBUTE DO NOT DISTRIBUTE FLASH OBJECT + CrossDomain.xml - security = DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 20
  • 20. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Google  filetype:swf inurl:xml DO NOT DISTRIBUTE DO NOT DISTRIBUTE Check CrossDomain.xml for something DO NOT DISTRIBUTE like: <allow-access-from domain=“*”/> DO NOT DISTRIBUTE DO NOT DISTRIBUTE Result: A simple programming “oops” creates a DO NOT DISTRIBUTE catastrophic failure in extended functionality! DO NOT DISTRIBUTE 21
  • 21. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Each additional layered component is another DO NOT DISTRIBUTE chance to screw up security DO NOT DISTRIBUTE DO NOT DISTRIBUTE Could you live without… DO NOT DISTRIBUTE • Google? DO NOT DISTRIBUTE • Multiple-app integrations DO NOT DISTRIBUTE (Google+Twitter+Facebook+…?) DO NOT DISTRIBUTE • Flash? 22
  • 22. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Some really bad DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE [real life] code DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 23
  • 23. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 24
  • 24. Client-Side Logic Manipulation DO NOT DISTRIBUTE try { DO NOT DISTRIBUTE strURI = ExternalInterface.call("getLittleServer"); … DO NOT DISTRIBUTE n1 = parseInt(strN1); n2 = parseInt(strN2); DO NOT DISTRIBUTE nAlgo = n1 * n2 * nScore + nScore; strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; DISTRIBUTE DO NOT encrypted_data = MD5.hash(strToPass); DO NOT DISTRIBUTE submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data; variables = new URLVariables(); DO NOT DISTRIBUTE variables.attr1 = submission_data; DO NOT DISTRIBUTE request = new URLRequest(strURI); request.data = variables; DO NOT DISTRIBUTE navigateToURL(request, "_self"); return submission_data; … 25
  • 25. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 26
  • 26. Client-Side Data Validations DO NOT DISTRIBUTE … button 9 { DO NOT DISTRIBUTE on (release, keyPress '<Enter>') { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', ''); } else { DO NOT DISTRIBUTE if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); NOT DO DISTRIBUTE } else { if (password eq ' PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', ''); } else { if (password eq „ PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', ''); } else { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', ''); } else { DO NOT DISTRIBUTE … 27
  • 27. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 28
  • 28. Thinking Web 2.0 Offense DO NOT DISTRIBUTE private static function query(arg0:String, arg1:flash.events::EventDispatcher = null) { DO NOT DISTRIBUTE … trace("2:MySQL Query: " + statement); DO NOT DISTRIBUTE if(this.connection == null) DO NOT DISTRIBUTE { try { DO NOT DISTRIBUTE this.connection = new Connection(irrcrpt("dqgurjudgh.frp", 3), 3306, irrcrpt("icog_nqikp", 2), irrcrpt("d1su4y", 1), irrcrpt("jdph", 3)); DO NOT DISTRIBUTE } catch (e:SecurityError) { DO NOT DISTRIBUTE var loc1:* = e; statement = null; DO NOT DISTRIBUTE Alert.show(statement.message, "Security Error"); … DO NOT DISTRIBUTE } 29
  • 29. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE LIVE decompile of a DO NOT DISTRIBUTE DO NOT DISTRIBUTE flash fail ! (…err file) DO NOT DISTRIBUTE DO NOT DISTRIBUTE … wait, I thought you couldn’t do that? DO NOT DISTRIBUTE DO NOT DISTRIBUTE 30
  • 30. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun with Web 2.0 DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE … “highly interactive content” NOT DISTRIBUTE DO DO NOT DISTRIBUTE 31
  • 31. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 32
  • 32. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE We insert this: DO NOT DISTRIBUTE "><frame DO NOT DISTRIBUTE src=http://google.com></ifr DO NOT DISTRIBUTE ame><script>alert(docume nt.cookie)</script> DISTRIBUTE DO NOT DO NOT DISTRIBUTE PLAIN => PostalCode="><frame DO NOT DISTRIBUTE Let’s ENCODE it to get past black-listing filters… %22%3e%3cframe%20src%3dhttp%3a%2f%2fgoogle.com%3e DO NOT DISTRIBUTE %3c%2fiframe%3e%3cscript%3ealert(document.cookie)%3c%2f script%3e 33
  • 33. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 34
  • 34. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE … B-O-O-M DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 35
  • 35. What Did We Just Learn? DO NOT DISTRIBUTE Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE DO NOT conglomeration of old technologies… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE …and yes, all the DO NOT DISTRIBUTE old bugs are DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 36
  • 36. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun new ways to fail DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE or: new bad ideas DO NOT DISTRIBUTE 37
  • 37. Specification for Offline Web Apps DISTRIBUTE DO NOT From W3.org  http://www.w3.org/TR/offline-webapps/DISTRIBUTE DO NOT DO NOT DISTRIBUTE Users of typical online Web applications are only able to use the applications while they have a connection to the DO NOT DISTRIBUTE Internet. When they go offline, they can no longer check their e-mail, browse their calendar appointments... DISTRIBUTE DO NOT DO NOT DISTRIBUTE The HTML 5 specification provides two solutions NOT DISTRIBUTE DO to this: a SQL-based database API for storing data locally, and an offline application HTTP cache for ensuring NOT DISTRIBUTE DO applications are available even when the user is not DO NOT DISTRIBUTE connected to their network. 39
  • 38. Options in Web 2.0 Land DO NOT DISTRIBUTE Remote System (Application) DO NOT DISTRIBUTE Would you rather hack DISTRIBUTE DO NOT this… Database Application … or this?DISTRIBUTE DO NOT Hardened Defenses DO NOT DISTRIBUTE DO NOT DISTRIBUTE Browser Internet DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Local Local App Database Cache 40 (SQLite)
  • 39. Simple Problems with Offline Apps DISTRIBUTE DO NOT DO NOT DISTRIBUTE Online Application Offline Application DO NOT DISTRIBUTE Remote data storage Local data storage Enterprise DB typically “secured” DO NOT DISTRIBUTE Local DB “forgotten” Enterprise DB difficult to access Local DB … on local filesystem DO NOT DISTRIBUTE Attack trips security mechanisms Few local security mechanisms Remote Logic Local “Cached” Logic NOT DISTRIBUTE DO Manipulate at run-time, remotely Manipulate code, locally DISTRIBUTE DO NOT Remote validation of logic Fully control/manipulate logic DO NOT DISTRIBUTE DO NOT DISTRIBUTE 41
  • 40. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE First, came the applications… DO NOT DISTRIBUTE DO NOT DISTRIBUTE They were attacked…a DISTRIBUTE DO NOT lot… DO NOT DISTRIBUTE …then hardened. DO NOT DISTRIBUTE DO NOT DISTRIBUTE 42
  • 41. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users wanted more. DO NOT DISTRIBUTE Applications were DO NOT DISTRIBUTE extended via APIs. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 43
  • 42. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 3rd parties DO NOT DISTRIBUTE built DO NOT DISTRIBUTE interfaces DOusing the NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 44
  • 43. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Hackers DO NOT DISTRIBUTE attacked DO NOT DISTRIBUTE users via DOapplication NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 45
  • 44. SoMe Attacked Via Extension DO NOT DISTRIBUTE FaceBook still fighting worms and hacks against DO NOT DISTRIBUTE users via extensions (or plug-ins) built DO NOT DISTRIBUTE using legal API extensions (Koobface?) DO NOT DISTRIBUTE DO NOT DISTRIBUTE Twitter API continually being abused by worms and “bots” to spam and seed trojan malware NOT DISTRIBUTE DO DO NOT DISTRIBUTE Why attack a hardened resource/site when a DISTRIBUTE DO NOT hacker can use APIs to write malicious plug-ins? DO NOT DISTRIBUTE 46
  • 45. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE So what do we do DO NOT DISTRIBUTE DO NOT DISTRIBUTE about it? DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 47
  • 46. The 3 Keys to Success DO NOT DISTRIBUTE DO NOT DISTRIBUTE o Perform all control logic server-side DO NOT DISTRIBUTE o Validate all data at ingress & egress DO NOT DISTRIBUTE o Build zero-trust interfaces DO NOT DISTRIBUTE DO NOT DISTRIBUTE … and don‟t rely on others- remember, “the user DO NOT DISTRIBUTE will always choose dancing bears over security”. - DO NOT DISTRIBUTE Schenier DO NOT DISTRIBUTE 48
  • 47. Perform All Control Logic Server-Side DO NOT DISTRIBUTE Application-critical logic must always beDO NOT DISTRIBUTE performed on the server side, where it is less likely to be DO NOT DISTRIBUTE manipulated DO NOT DISTRIBUTE DO NOT DISTRIBUTE • You can trust code once it leaves your control DO NOT DISTRIBUTE • Web code can and will be reverse-engineered • Never push critical information (passwords, DISTRIBUTE DO NOT connection strings) to the client DO NOT DISTRIBUTE DO NOT DISTRIBUTE 49
  • 48. Validate All Data at Ingress/Egress DISTRIBUTE DO NOT Validate all data as it comes into your application, DO NOT DISTRIBUTE and also as it leaves DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Assume all input is malicious DO NOT DISTRIBUTE • Mix white-list, black-list  minimum required DO NOT DISTRIBUTE • Know what‟s leaving your application DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 50
  • 49. Build Zero-Trust Interfaces DO NOT DISTRIBUTE Assume exposed APIs/services will be attacked DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Never trust the interface to provide cleanNOT DISTRIBUTE DO data, legal calls, or valid requests DO NOT DISTRIBUTE • Authenticate (AuthN) interfaces when ever DO NOT DISTRIBUTE possible • Don‟t forget AuthZ (authorization) DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 51
  • 50. Don‟t Rely on Others DO NOT DISTRIBUTE DO NOT DISTRIBUTE Every piece of software has exploitable DO NOT DISTRIBUTE defects! DO NOT DISTRIBUTE Don‟t assume other developers wrote secure DISTRIBUTE DO NOT code. DO NOT DISTRIBUTE again. Check, re-check and check again…and DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 52
  • 51. Thank You DO NOT DISTRIBUTE Rafal Los DO NOT DISTRIBUTE Twitter: @RafalLos DO NOT DISTRIBUTE Email: Rafal@HP.com Direct: +1 (765) 247 - 2325 DO NOT DISTRIBUTE Blogs: DO NOT DISTRIBUTE “Following the White Rabbit” http://www.communities.hp.com/securitysoftware/blogs/rafal/default.aspx “Digital Soapbox” DO NOT DISTRIBUTE http://preachsecurity.blogspot.com DO NOT DISTRIBUTE Oh! … and I work in the HP Application Security Center (ASC) DO NOT DISTRIBUTE DO NOT DISTRIBUTE 53