1. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
When Web 2.0 DO NOT DISTRIBUTE
Attacks! DO NOT DISTRIBUTE
Technology gone terribly wrong.
DO NOT DISTRIBUTE
Rafal M. Los
HP -- ASC DO NOT DISTRIBUTE
rev 4
1 7 February 2010
2. Fire! … Aim! Ready? DO NOT DISTRIBUTE
Question 1: Web 2.0 content is being developed
DO NOT DISTRIBUTE
primarily by the same developers that DO NOT DISTRIBUTE
write
traditional web code. True or False?
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Question 2: Everyone understands the idea of
“Web 2.0” and there are concrete standards.
DO NOT DISTRIBUTE
True or False? DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Question 3: Your company has deployed “Web
DO NOT DISTRIBUTE
2.0 stuff” already. True or False?
2
3. Answers… DO NOT DISTRIBUTE
Question 1: False! Web 2.0 is being developed in
DO NOT DISTRIBUTE
a large part not by traditional developers,NOT DISTRIBUTE
DO
but by
“marketing or media folks”…
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Question 2: False! Ask 2 different people to
define “Web 2.0”… listen to their answers. DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
Question 3: (most likely) True! … and if you DISTRIBUTE
DO NOT don‟t
know it, it‟s even worse.
DO NOT DISTRIBUTE
3
4. The Hinges DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
4
5. Understanding Web 2.0 Motivations
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
2 reasons “Web 2.0” happened… DO NOT DISTRIBUTE
1. Increased demand for processor cyclesDO NOT DISTRIBUTE
2. Increased demand for bandwidth
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
What happened… DO NOT DISTRIBUTE
• Logic moved from server client DO NOT DISTRIBUTE
• Invention of asynchronous transaction NOT DISTRIBUTE
DO
• Browser becomes a “fat client”
5
6. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Understanding the
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
attack surface DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
6
7. Attack Surface DO NOT DISTRIBUTE
Total addressable (attackable) surface area DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
7
8. Attack Surface DO NOT DISTRIBUTE
Total addressable (attackable) surface area DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
Inputs DO NOT DISTRIBUTE
Outputs DO NOT DISTRIBUTE
APIs DO NOT DISTRIBUTE
Functions (interactions) DO NOT DISTRIBUTE
Functions (services) DO NOT DISTRIBUTE
… DO NOT DISTRIBUTE
8
9. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Exploiting a bigger
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
attack surface DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
9
10. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Users love to click stuff … DO NOT DISTRIBUTE
Hackers love users who click stuff. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
10
11. Exploiting Weaknesses
Users
DO NOT DISTRIBUTE
Everyone‟s favorite Click-Jacking DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
HIDDEN BUTTON DISTRIBUTE
DO NOT
“Click the
DO NOT DISTRIBUTE
red dots!”
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
11
12. Exploiting Weaknesses
Users
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
HIDDEN BUTTON DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
<a href=“http://evilsite.com/exploit.js>
……. DO NOT DISTRIBUTE
Click the DO NOT DISTRIBUTE
This is an exploit page, hidden UNDER
red dots? the cool new game that everyone is playing!
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
12
13. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
The line between code | data DO NOT DISTRIBUTE
has become blurred… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
14
14. Exploiting Weaknesses
Rich Content
DO NOT DISTRIBUTE
SoMe (Social Media) sites allow active content…
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
15
15. Exploiting Weaknesses
Rich Content
DO NOT DISTRIBUTE
What is the difference? DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
code
<script type="text/javascript“></script> DO NOT DISTRIBUTE
<style type="text/css" title="currentStyle" media="screen"> @import "/001/001.css";
</style> DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
data DO NOT DISTRIBUTE
<![CDATA[CHEVRON 0302550]]></name><address><![CDATA[1298 HOWARD
ST]]></address><city><![CDATA[SAN DO NOT DISTRIBUTE
FRANCISCO]]></city><stateProvince><![CDATA[CA]]></stateProvince><postalCod
e><![CDATA[94103]]></postalCode><country><![CDATA[US]]></country><brand><
DO NOT DISTRIBUTE
![CDATA[CHEVRON]]></brand><phone
16
16. Exploiting Weaknesses
Rich Content
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Very few sites are static DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Most site/applications mix code | data at will DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
How do developers differentiate?
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Data static information DO NOT DISTRIBUTE
• Code script or program modifications
17
17. Exploiting Weaknesses
Rich Content
DO NOT DISTRIBUTE
Users (victims) will copy/paste without knowing the
DO NOT DISTRIBUTE
consequences DO NOT DISTRIBUTE
Pimp-My-Profile.com DO NOT DISTRIBUTE
is littered with ready-
to-paste crap. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Don’t you just want to
grab the BeSocial
DO NOT DISTRIBUTE
toolbar?
18
18. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Functionality DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
is the arch-enemyDO NOT DISTRIBUTE
DO NOT DISTRIBUTE
of security DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
19
19. Exploiting Weaknesses
Functionality
DO NOT DISTRIBUTE
Functionality gone totally wrong… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
FLASH OBJECT + CrossDomain.xml - security =
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
20
20. Exploiting Weaknesses
Functionality
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Google filetype:swf inurl:xml DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Check CrossDomain.xml for something DO NOT DISTRIBUTE
like:
<allow-access-from domain=“*”/>
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Result: A simple programming “oops” creates a
DO NOT DISTRIBUTE
catastrophic failure in extended functionality!
DO NOT DISTRIBUTE
21
21. Exploiting Weaknesses
Functionality
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Each additional layered component is another
DO NOT DISTRIBUTE
chance to screw up security
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Could you live without…
DO NOT DISTRIBUTE
• Google?
DO NOT DISTRIBUTE
• Multiple-app integrations
DO NOT DISTRIBUTE
(Google+Twitter+Facebook+…?)
DO NOT DISTRIBUTE
• Flash?
22
22. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Some really bad
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
[real life] code
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
23
23. What Could Possibly Go Wrong? DISTRIBUTE
DO NOT
… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Manipulation of business logic DO NOT DISTRIBUTE
• Client-side data validations DO NOT DISTRIBUTE
• Exposure of sensitive information DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
24
24. Client-Side Logic Manipulation DO NOT DISTRIBUTE
try {
DO NOT DISTRIBUTE
strURI = ExternalInterface.call("getLittleServer");
… DO NOT DISTRIBUTE
n1 = parseInt(strN1);
n2 = parseInt(strN2); DO NOT DISTRIBUTE
nAlgo = n1 * n2 * nScore + nScore;
strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; DISTRIBUTE
DO NOT
encrypted_data = MD5.hash(strToPass);
DO NOT DISTRIBUTE
submission_data = "score=" + nScore + "|gameId=" + nGameId +
"|timestamp=" + nTime + "|key=" + encrypted_data;
variables = new URLVariables(); DO NOT DISTRIBUTE
variables.attr1 = submission_data;
DO NOT DISTRIBUTE
request = new URLRequest(strURI);
request.data = variables; DO NOT DISTRIBUTE
navigateToURL(request, "_self");
return submission_data;
…
25
25. What Could Possibly Go Wrong? DISTRIBUTE
DO NOT
… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Manipulation of business logic DO NOT DISTRIBUTE
• Client-side data validations DO NOT DISTRIBUTE
• Exposure of sensitive information DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
26
26. Client-Side Data Validations DO NOT DISTRIBUTE
…
button 9 { DO NOT DISTRIBUTE
on (release, keyPress '<Enter>') { DO NOT DISTRIBUTE
if (password eq „ PASSWORD ') {
getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', '');
} else {
DO NOT DISTRIBUTE
if (password eq ' PASSWORD ') {
getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); NOT
DO DISTRIBUTE
} else {
if (password eq ' PASSWORD ') {
DO NOT DISTRIBUTE
getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', '');
} else {
if (password eq „ PASSWORD ') { DO NOT DISTRIBUTE
getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', '');
} else { DO NOT DISTRIBUTE
if (password eq „ PASSWORD ') {
getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', '');
} else {
DO NOT DISTRIBUTE
…
27
27. What Could Possibly Go Wrong? DISTRIBUTE
DO NOT
… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Manipulation of business logic DO NOT DISTRIBUTE
• Client-side data validations DO NOT DISTRIBUTE
• Exposure of sensitive information DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
28
28. Thinking Web 2.0 Offense DO NOT DISTRIBUTE
private static function query(arg0:String, arg1:flash.events::EventDispatcher = null)
{ DO NOT DISTRIBUTE
…
trace("2:MySQL Query: " + statement); DO NOT DISTRIBUTE
if(this.connection == null)
DO NOT DISTRIBUTE
{
try {
DO NOT DISTRIBUTE
this.connection = new Connection(irrcrpt("dqgurjudgh.frp", 3), 3306,
irrcrpt("icog_nqikp", 2), irrcrpt("d1su4y", 1), irrcrpt("jdph", 3));
DO NOT DISTRIBUTE
} catch (e:SecurityError) { DO NOT DISTRIBUTE
var loc1:* = e;
statement = null; DO NOT DISTRIBUTE
Alert.show(statement.message, "Security Error");
… DO NOT DISTRIBUTE
}
29
29. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
LIVE decompile of a
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
flash fail ! (…err file) DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
… wait, I thought you couldn’t do that?
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
30
30. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Fun with Web 2.0
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
… “highly interactive content” NOT DISTRIBUTE
DO
DO NOT DISTRIBUTE
31
31. Attacking Web 2.0 Sites MapQuest!
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
32
32. Attacking Web 2.0 Sites MapQuest!
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
We insert this: DO NOT DISTRIBUTE
"><frame DO NOT DISTRIBUTE
src=http://google.com></ifr
DO NOT DISTRIBUTE
ame><script>alert(docume
nt.cookie)</script> DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
PLAIN => PostalCode="><frame DO NOT DISTRIBUTE
Let’s ENCODE it to get past black-listing filters…
%22%3e%3cframe%20src%3dhttp%3a%2f%2fgoogle.com%3e DO NOT DISTRIBUTE
%3c%2fiframe%3e%3cscript%3ealert(document.cookie)%3c%2f
script%3e
33
33. Attacking Web 2.0 Sites MapQuest!
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
34
34. Attacking Web 2.0 Sites MapQuest!
DO NOT DISTRIBUTE
… B-O-O-M DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
35
35. What Did We Just Learn? DO NOT DISTRIBUTE
Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE
DO NOT
conglomeration of old technologies… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
…and yes, all the
DO NOT DISTRIBUTE
old bugs are
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
36
36. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Fun new ways to fail
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
or: new bad ideas
DO NOT DISTRIBUTE
37
37. Specification for Offline Web Apps DISTRIBUTE
DO NOT
From W3.org http://www.w3.org/TR/offline-webapps/DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
Users of typical online Web applications are only able to
use the applications while they have a connection to the
DO NOT DISTRIBUTE
Internet. When they go offline, they can no longer check
their e-mail, browse their calendar appointments... DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
The HTML 5 specification provides two solutions NOT DISTRIBUTE
DO to this:
a SQL-based database API for storing data locally, and
an offline application HTTP cache for ensuring NOT DISTRIBUTE
DO
applications are available even when the user is not
DO NOT DISTRIBUTE
connected to their network.
39
38. Options in Web 2.0 Land DO NOT DISTRIBUTE
Remote System (Application)
DO NOT DISTRIBUTE
Would you rather hack DISTRIBUTE
DO NOT
this…
Database Application
… or this?DISTRIBUTE
DO NOT
Hardened Defenses
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Browser
Internet DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Local Local App
Database Cache
40
(SQLite)
39. Simple Problems with Offline Apps DISTRIBUTE
DO NOT
DO NOT DISTRIBUTE
Online Application Offline Application DO NOT DISTRIBUTE
Remote data storage Local data storage
Enterprise DB typically “secured” DO NOT DISTRIBUTE
Local DB “forgotten”
Enterprise DB difficult to access Local DB … on local filesystem
DO NOT DISTRIBUTE
Attack trips security mechanisms Few local security mechanisms
Remote Logic Local “Cached” Logic NOT DISTRIBUTE
DO
Manipulate at run-time, remotely Manipulate code, locally DISTRIBUTE
DO NOT
Remote validation of logic Fully control/manipulate logic
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
41
40. (de)Evolution of SoMe… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
First, came the applications…
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
They were attacked…a DISTRIBUTE
DO NOT lot…
DO NOT DISTRIBUTE
…then hardened.
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
42
41. (de)Evolution of SoMe… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Users wanted more.
DO NOT DISTRIBUTE
Applications were
DO NOT DISTRIBUTE
extended via APIs.
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
43
42. (de)Evolution of SoMe… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
3rd parties
DO NOT DISTRIBUTE
built
DO NOT DISTRIBUTE
interfaces
DOusing the
NOT DISTRIBUTE
DOAPIs
NOT DISTRIBUTE
DO NOT DISTRIBUTE
44
43. (de)Evolution of SoMe… DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Hackers
DO NOT DISTRIBUTE
attacked
DO NOT DISTRIBUTE
users via
DOapplication
NOT DISTRIBUTE
DOAPIs
NOT DISTRIBUTE
DO NOT DISTRIBUTE
45
44. SoMe Attacked Via Extension DO NOT DISTRIBUTE
FaceBook still fighting worms and hacks against
DO NOT DISTRIBUTE
users via extensions (or plug-ins) built DO NOT DISTRIBUTE
using legal
API extensions (Koobface?)
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Twitter API continually being abused by worms and
“bots” to spam and seed trojan malware NOT DISTRIBUTE
DO
DO NOT DISTRIBUTE
Why attack a hardened resource/site when a DISTRIBUTE
DO NOT
hacker can use APIs to write malicious plug-ins?
DO NOT DISTRIBUTE
46
45. DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
So what do we do
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
about it? DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
47
46. The 3 Keys to Success DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
o Perform all control logic server-side DO NOT DISTRIBUTE
o Validate all data at ingress & egress DO NOT DISTRIBUTE
o Build zero-trust interfaces DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
… and don‟t rely on others- remember, “the user
DO NOT DISTRIBUTE
will always choose dancing bears over security”. -
DO NOT DISTRIBUTE
Schenier
DO NOT DISTRIBUTE
48
47. Perform All Control Logic Server-Side
DO NOT DISTRIBUTE
Application-critical logic must always beDO NOT DISTRIBUTE
performed
on the server side, where it is less likely to be
DO NOT DISTRIBUTE
manipulated
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• You can trust code once it leaves your control
DO NOT DISTRIBUTE
• Web code can and will be reverse-engineered
• Never push critical information (passwords, DISTRIBUTE
DO NOT
connection strings) to the client DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
49
48. Validate All Data at Ingress/Egress DISTRIBUTE
DO NOT
Validate all data as it comes into your application,
DO NOT DISTRIBUTE
and also as it leaves DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Assume all input is malicious
DO NOT DISTRIBUTE
• Mix white-list, black-list minimum required
DO NOT DISTRIBUTE
• Know what‟s leaving your application
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
50
49. Build Zero-Trust Interfaces DO NOT DISTRIBUTE
Assume exposed APIs/services will be attacked
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
• Never trust the interface to provide cleanNOT DISTRIBUTE
DO data,
legal calls, or valid requests
DO NOT DISTRIBUTE
• Authenticate (AuthN) interfaces when ever
DO NOT DISTRIBUTE
possible
• Don‟t forget AuthZ (authorization) DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
51
50. Don‟t Rely on Others DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
Every piece of software has exploitable DO NOT DISTRIBUTE
defects!
DO NOT DISTRIBUTE
Don‟t assume other developers wrote secure DISTRIBUTE
DO NOT code.
DO NOT DISTRIBUTE
again.
Check, re-check and check again…and DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
52
51. Thank You DO NOT DISTRIBUTE
Rafal Los DO NOT DISTRIBUTE
Twitter: @RafalLos
DO NOT DISTRIBUTE
Email: Rafal@HP.com
Direct: +1 (765) 247 - 2325
DO NOT DISTRIBUTE
Blogs:
DO NOT DISTRIBUTE
“Following the White Rabbit”
http://www.communities.hp.com/securitysoftware/blogs/rafal/default.aspx
“Digital Soapbox” DO NOT DISTRIBUTE
http://preachsecurity.blogspot.com
DO NOT DISTRIBUTE
Oh! … and I work in the
HP Application Security Center (ASC)
DO NOT DISTRIBUTE
DO NOT DISTRIBUTE
53