SlideShare a Scribd company logo
1 of 51
DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE
   When Web 2.0                               DO NOT DISTRIBUTE

   Attacks!                                   DO NOT DISTRIBUTE
   Technology gone terribly wrong.
                                              DO NOT DISTRIBUTE
                                     Rafal M. Los
                                     HP -- ASC DO NOT DISTRIBUTE

rev 4
    1   7 February 2010
Fire! … Aim! Ready?                      DO NOT DISTRIBUTE

Question 1: Web 2.0 content is being developed
                                       DO NOT DISTRIBUTE
 primarily by the same developers that DO NOT DISTRIBUTE
                                       write
 traditional web code. True or False?
                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE
Question 2: Everyone understands the idea of
 “Web 2.0” and there are concrete standards.
                                      DO NOT DISTRIBUTE
 True or False?                       DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE
Question 3: Your company has deployed “Web
                                    DO NOT DISTRIBUTE
 2.0 stuff” already. True or False?

2
Answers…                                  DO NOT DISTRIBUTE

Question 1: False! Web 2.0 is being developed in
                                         DO NOT DISTRIBUTE
 a large part not by traditional developers,NOT DISTRIBUTE
                                         DO
                                             but by
 “marketing or media folks”…
                                          DO NOT DISTRIBUTE

                                          DO NOT DISTRIBUTE
Question 2: False! Ask 2 different people to
 define “Web 2.0”… listen to their answers. DISTRIBUTE
                                       DO NOT

                                          DO NOT DISTRIBUTE

Question 3: (most likely) True! … and if you DISTRIBUTE
                                      DO NOT don‟t
 know it, it‟s even worse.
                                          DO NOT DISTRIBUTE



3
The Hinges   DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE

             DO NOT DISTRIBUTE



4
Understanding Web 2.0 Motivations
                            DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE

2 reasons “Web 2.0” happened…                DO NOT DISTRIBUTE
    1. Increased demand for processor cyclesDO NOT DISTRIBUTE
    2. Increased demand for bandwidth
                                             DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE


What happened…                               DO NOT DISTRIBUTE

•   Logic moved from server  client         DO NOT DISTRIBUTE

•   Invention of asynchronous transaction NOT DISTRIBUTE
                                        DO

•   Browser becomes a “fat client”
5
DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



Understanding the
                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE
    attack surface   DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



6
Attack Surface                         DO NOT DISTRIBUTE

Total addressable (attackable) surface area DISTRIBUTE
                                       DO NOT

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE



7
Attack Surface                         DO NOT DISTRIBUTE

Total addressable (attackable) surface area DISTRIBUTE
                                       DO NOT

                                       DO NOT DISTRIBUTE

           Inputs                      DO NOT DISTRIBUTE

           Outputs                     DO NOT DISTRIBUTE

           APIs                        DO NOT DISTRIBUTE

           Functions (interactions)    DO NOT DISTRIBUTE
           Functions (services)        DO NOT DISTRIBUTE
           …                           DO NOT DISTRIBUTE



8
DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



Exploiting a bigger
                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE
    attack surface   DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE

                     DO NOT DISTRIBUTE



9
DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

Users love to click stuff …           DO NOT DISTRIBUTE

Hackers love users who click stuff.   DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE



10
Exploiting Weaknesses
                                      Users
                                 DO NOT DISTRIBUTE

Everyone‟s favorite  Click-Jacking   DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                          HIDDEN BUTTON DISTRIBUTE
                                    DO NOT
“Click the
                                      DO NOT DISTRIBUTE
 red dots!”
                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE

                                      DO NOT DISTRIBUTE



11
Exploiting Weaknesses
                                    Users
                               DO NOT DISTRIBUTE

                                                    DO NOT DISTRIBUTE
                 HIDDEN BUTTON                      DO NOT DISTRIBUTE

                                                    DO NOT DISTRIBUTE

                                                    DO NOT DISTRIBUTE
                  <a href=“http://evilsite.com/exploit.js>
                  …….                               DO NOT DISTRIBUTE

     Click the                                      DO NOT DISTRIBUTE
                  This is an exploit page, hidden UNDER
     red dots?    the cool new game that everyone is playing!
                                                    DO NOT DISTRIBUTE

                                                    DO NOT DISTRIBUTE

12
DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

The line between code | data   DO NOT DISTRIBUTE

has become blurred…            DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE



14
Exploiting Weaknesses
                                 Rich Content
                                    DO NOT DISTRIBUTE

SoMe (Social Media) sites allow active content…
                                       DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



15
Exploiting Weaknesses
                                            Rich Content
                                               DO NOT DISTRIBUTE

What is the difference?                                      DO NOT DISTRIBUTE

                                                             DO NOT DISTRIBUTE
                                code
<script type="text/javascript“></script>                         DO NOT DISTRIBUTE
<style type="text/css" title="currentStyle" media="screen"> @import "/001/001.css";
</style>                                                         DO NOT DISTRIBUTE

                                                             DO NOT DISTRIBUTE
                                data                      DO NOT DISTRIBUTE
<![CDATA[CHEVRON 0302550]]></name><address><![CDATA[1298 HOWARD
ST]]></address><city><![CDATA[SAN                         DO NOT DISTRIBUTE
FRANCISCO]]></city><stateProvince><![CDATA[CA]]></stateProvince><postalCod
e><![CDATA[94103]]></postalCode><country><![CDATA[US]]></country><brand><
                                                          DO NOT DISTRIBUTE
![CDATA[CHEVRON]]></brand><phone


 16
Exploiting Weaknesses
                                     Rich Content
                                        DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

Very few sites are static                     DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

     Most site/applications mix code | data at will DISTRIBUTE
                                            DO NOT

                                              DO NOT DISTRIBUTE



 How do developers differentiate?
                                              DO NOT DISTRIBUTE

                                              DO NOT DISTRIBUTE

•    Data  static information                DO NOT DISTRIBUTE

•    Code  script or program modifications
17
Exploiting Weaknesses
                                         Rich Content
                                            DO NOT DISTRIBUTE

Users (victims) will copy/paste without knowing the
                                         DO NOT DISTRIBUTE
 consequences                            DO NOT DISTRIBUTE

Pimp-My-Profile.com                            DO NOT DISTRIBUTE
is littered with ready-
to-paste crap.                                 DO NOT DISTRIBUTE

                                               DO NOT DISTRIBUTE

                                               DO NOT DISTRIBUTE

                                               DO NOT DISTRIBUTE
     Don’t you just want to
     grab the BeSocial
                                               DO NOT DISTRIBUTE
     toolbar?



18
DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE
     Functionality             DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE
        is the   arch-enemyDO NOT DISTRIBUTE
                               DO NOT DISTRIBUTE


        of   security          DO NOT DISTRIBUTE

                               DO NOT DISTRIBUTE



19
Exploiting Weaknesses
                                 Functionality
                                   DO NOT DISTRIBUTE

Functionality gone totally wrong…      DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE
FLASH OBJECT + CrossDomain.xml - security =
                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE

                                       DO NOT DISTRIBUTE



20
Exploiting Weaknesses
                                   Functionality
                                     DO NOT DISTRIBUTE

                                          DO NOT DISTRIBUTE

Google  filetype:swf inurl:xml           DO NOT DISTRIBUTE

                                          DO NOT DISTRIBUTE

Check CrossDomain.xml for something DO NOT DISTRIBUTE
                                    like:
    <allow-access-from domain=“*”/>
                                          DO NOT DISTRIBUTE

                                          DO NOT DISTRIBUTE
Result: A simple programming “oops” creates a
                                         DO NOT DISTRIBUTE
 catastrophic failure in extended functionality!
                                          DO NOT DISTRIBUTE



21
Exploiting Weaknesses
                                Functionality
                                   DO NOT DISTRIBUTE

                                        DO NOT DISTRIBUTE

Each additional layered component is another
                                      DO NOT DISTRIBUTE
 chance to screw up security
                                        DO NOT DISTRIBUTE

                                        DO NOT DISTRIBUTE
Could you live without…
                                        DO NOT DISTRIBUTE
•    Google?
                                        DO NOT DISTRIBUTE
•    Multiple-app integrations
                                        DO NOT DISTRIBUTE
     (Google+Twitter+Facebook+…?)
                                        DO NOT DISTRIBUTE
•    Flash?

22
DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



Some really bad
                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE
     [real life] code
                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



23
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

•    Manipulation of business logic      DO NOT DISTRIBUTE

•    Client-side data validations        DO NOT DISTRIBUTE

•    Exposure of sensitive information   DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



24
Client-Side Logic Manipulation DO NOT DISTRIBUTE
try {
                                                                     DO NOT DISTRIBUTE
               strURI = ExternalInterface.call("getLittleServer");
               …                                                     DO NOT DISTRIBUTE
               n1 = parseInt(strN1);
               n2 = parseInt(strN2);                                 DO NOT DISTRIBUTE
               nAlgo = n1 * n2 * nScore + nScore;
               strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; DISTRIBUTE
                                                                       DO NOT
               encrypted_data = MD5.hash(strToPass);
                                                                     DO NOT DISTRIBUTE
               submission_data = "score=" + nScore + "|gameId=" + nGameId +
     "|timestamp=" + nTime + "|key=" + encrypted_data;
               variables = new URLVariables();                       DO NOT DISTRIBUTE
             variables.attr1 = submission_data;
                                                                     DO NOT DISTRIBUTE
               request = new URLRequest(strURI);
             request.data = variables;                               DO NOT DISTRIBUTE
             navigateToURL(request, "_self");
             return submission_data;
         …
25
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

•    Manipulation of business logic      DO NOT DISTRIBUTE

•    Client-side data validations        DO NOT DISTRIBUTE

•    Exposure of sensitive information   DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



26
Client-Side Data Validations                                                      DO NOT DISTRIBUTE
…
button 9 {                                                                        DO NOT DISTRIBUTE

     on (release, keyPress '<Enter>') {                                           DO NOT DISTRIBUTE
      if (password eq „ PASSWORD ') {
        getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', '');
      } else {
                                                                                  DO NOT         DISTRIBUTE
        if (password eq ' PASSWORD ') {
          getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); NOT
                                                                                  DO             DISTRIBUTE
       } else {
         if (password eq ' PASSWORD ') {
                                                                                  DO NOT DISTRIBUTE
          getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', '');
        } else {
          if (password eq „ PASSWORD ') {                                        DO NOT          DISTRIBUTE
            getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', '');
          } else {                                                               DO NOT          DISTRIBUTE
            if (password eq „ PASSWORD ') {
             getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', '');
           } else {
                                                                                 DO NOT          DISTRIBUTE
…



27
What Could Possibly Go Wrong? DISTRIBUTE
                           DO NOT

…                                        DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

•    Manipulation of business logic      DO NOT DISTRIBUTE

•    Client-side data validations        DO NOT DISTRIBUTE

•    Exposure of sensitive information   DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



28
Thinking Web 2.0 Offense                                                 DO NOT DISTRIBUTE
private static function query(arg0:String, arg1:flash.events::EventDispatcher = null)
     {                                                                   DO NOT DISTRIBUTE
     …
         trace("2:MySQL Query: " + statement);                           DO NOT DISTRIBUTE
         if(this.connection == null)
                                                                         DO NOT DISTRIBUTE
         {
             try {
                                                                         DO NOT DISTRIBUTE
               this.connection = new Connection(irrcrpt("dqgurjudgh.frp", 3), 3306,
     irrcrpt("icog_nqikp", 2), irrcrpt("d1su4y", 1), irrcrpt("jdph", 3));
                                                                         DO NOT DISTRIBUTE

             } catch (e:SecurityError) {                                 DO NOT DISTRIBUTE
                var loc1:* = e;
                     statement = null;                                   DO NOT DISTRIBUTE
                Alert.show(statement.message, "Security Error");
                …                                                        DO NOT DISTRIBUTE
         }


29
DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE



LIVE decompile of a
                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

 flash fail !  (…err file)         DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE


     … wait, I thought you couldn’t do that?
                                 DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE



30
DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE



Fun with Web 2.0
                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE

                                   DO NOT DISTRIBUTE


     … “highly interactive content” NOT DISTRIBUTE
                                  DO

                                   DO NOT DISTRIBUTE



31
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE



32
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                                 DO NOT DISTRIBUTE

                                We insert this: DO NOT DISTRIBUTE
                                   "><frame DO NOT DISTRIBUTE
                                   src=http://google.com></ifr
                                                DO NOT DISTRIBUTE
                                   ame><script>alert(docume
                                   nt.cookie)</script> DISTRIBUTE
                                                DO NOT

                                                 DO NOT DISTRIBUTE
PLAIN => PostalCode="><frame                     DO NOT DISTRIBUTE
Let’s ENCODE it to get past black-listing filters…
%22%3e%3cframe%20src%3dhttp%3a%2f%2fgoogle.com%3e DO NOT DISTRIBUTE
%3c%2fiframe%3e%3cscript%3ealert(document.cookie)%3c%2f
script%3e
33
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE



34
Attacking Web 2.0 Sites  MapQuest!
                            DO NOT DISTRIBUTE
… B-O-O-M                        DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE



35
What Did We Just Learn?                  DO NOT DISTRIBUTE

Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE
                                      DO NOT
 conglomeration of old technologies… DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE
…and yes, all the
                                         DO NOT DISTRIBUTE
 old bugs are
                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



36
DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE



Fun new ways to fail
                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE
     or: new bad ideas
                         DO NOT DISTRIBUTE



37
Specification for Offline Web Apps DISTRIBUTE
                               DO NOT
From W3.org  http://www.w3.org/TR/offline-webapps/DISTRIBUTE
                                            DO NOT

                                              DO NOT DISTRIBUTE
Users of typical online Web applications are only able to
 use the applications while they have a connection to the
                                              DO NOT DISTRIBUTE
 Internet. When they go offline, they can no longer check
 their e-mail, browse their calendar appointments... DISTRIBUTE
                                              DO NOT

                                              DO NOT DISTRIBUTE

The HTML 5 specification provides two solutions NOT DISTRIBUTE
                                             DO to this:
 a SQL-based database API for storing data locally, and
 an offline application HTTP cache for ensuring NOT DISTRIBUTE
                                             DO
 applications are available even when the user is not
                                             DO NOT DISTRIBUTE
 connected to their network.

39
Options in Web 2.0 Land                           DO NOT DISTRIBUTE
 Remote System (Application)
                                                  DO NOT DISTRIBUTE
                               Would you rather hack DISTRIBUTE
                                              DO NOT
                                                     this…
     Database Application
                                               … or this?DISTRIBUTE
                                                  DO NOT
       Hardened Defenses
                                                  DO NOT DISTRIBUTE

                                                  DO NOT DISTRIBUTE
                                     Browser
            Internet                              DO NOT DISTRIBUTE

                                                  DO NOT DISTRIBUTE

                                                  DO NOT DISTRIBUTE

                               Local       Local App
                               Database    Cache
40
                               (SQLite)
Simple Problems with Offline Apps DISTRIBUTE
                              DO NOT

                                                              DO NOT DISTRIBUTE
Online Application                       Offline Application DO NOT DISTRIBUTE
Remote data storage                      Local data storage
     Enterprise DB typically “secured”                      DO NOT DISTRIBUTE
                                             Local DB “forgotten”
     Enterprise DB difficult to access       Local DB … on local filesystem
                                                           DO NOT DISTRIBUTE
     Attack trips security mechanisms        Few local security mechanisms
Remote Logic                             Local “Cached” Logic NOT DISTRIBUTE
                                                            DO

     Manipulate at run-time, remotely        Manipulate code, locally DISTRIBUTE
                                                           DO NOT
     Remote validation of logic              Fully control/manipulate logic
                                                             DO NOT DISTRIBUTE

                                                              DO NOT DISTRIBUTE



41
(de)Evolution of SoMe…            DO NOT DISTRIBUTE

                                  DO NOT DISTRIBUTE

                                  DO NOT DISTRIBUTE


                First, came the applications…
                                  DO NOT DISTRIBUTE

                                  DO NOT DISTRIBUTE

                They were attacked…a DISTRIBUTE
                                DO NOT lot…

                                  DO NOT DISTRIBUTE
                …then hardened.
                                  DO NOT DISTRIBUTE

                                  DO NOT DISTRIBUTE



42
(de)Evolution of SoMe…           DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                DO NOT DISTRIBUTE
                         Users wanted more.
                                 DO NOT DISTRIBUTE

                         Applications were
                                DO NOT DISTRIBUTE
                         extended via APIs.
                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE

                                 DO NOT DISTRIBUTE



43
(de)Evolution of SoMe…   DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE
                           3rd parties
                         DO NOT DISTRIBUTE
                           built
                         DO NOT DISTRIBUTE
                           interfaces
                         DOusing the
                            NOT DISTRIBUTE

                         DOAPIs
                            NOT DISTRIBUTE

                         DO NOT DISTRIBUTE



44
(de)Evolution of SoMe…   DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE

                         DO NOT DISTRIBUTE
                           Hackers
                         DO NOT DISTRIBUTE
                           attacked
                         DO NOT DISTRIBUTE
                           users via
                         DOapplication
                            NOT DISTRIBUTE

                         DOAPIs
                            NOT DISTRIBUTE

                         DO NOT DISTRIBUTE



45
SoMe Attacked Via Extension                DO NOT DISTRIBUTE

FaceBook still fighting worms and hacks against
                                          DO NOT DISTRIBUTE
 users via extensions (or plug-ins) built DO NOT DISTRIBUTE
                                          using legal
 API extensions (Koobface?)
                                           DO NOT DISTRIBUTE

                                           DO NOT DISTRIBUTE
Twitter API continually being abused by worms and
 “bots” to spam and seed trojan malware NOT DISTRIBUTE
                                       DO

                                           DO NOT DISTRIBUTE

Why attack a hardened resource/site when a DISTRIBUTE
                                       DO NOT
 hacker can use APIs to write malicious plug-ins?
                                           DO NOT DISTRIBUTE



46
DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



So what do we do
                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

about it?          DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE

                   DO NOT DISTRIBUTE



47
The 3 Keys to Success                        DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE

o Perform    all control logic server-side   DO NOT DISTRIBUTE

o Validate   all data at ingress & egress    DO NOT DISTRIBUTE

o Build   zero-trust interfaces              DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE

… and don‟t rely on others- remember, “the user
                                      DO NOT DISTRIBUTE
 will always choose dancing bears over security”. -
                                      DO NOT DISTRIBUTE
 Schenier
                                             DO NOT DISTRIBUTE



48
Perform All Control Logic Server-Side
                              DO NOT DISTRIBUTE

Application-critical logic must always beDO NOT DISTRIBUTE
                                           performed
 on the server side, where it is less likely to be
                                          DO NOT DISTRIBUTE
 manipulated
                                             DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE
•    You can trust code once it leaves your control
                                             DO NOT DISTRIBUTE
•    Web code can and will be reverse-engineered
•    Never push critical information (passwords, DISTRIBUTE
                                           DO NOT

     connection strings) to the client     DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE



49
Validate All Data at Ingress/Egress DISTRIBUTE
                               DO NOT

Validate all data as it comes into your application,
                                         DO NOT DISTRIBUTE
 and also as it leaves                   DO NOT DISTRIBUTE

                                            DO NOT DISTRIBUTE
•    Assume all input is malicious
                                            DO NOT DISTRIBUTE
•    Mix white-list, black-list  minimum required
                                            DO NOT DISTRIBUTE
•    Know what‟s leaving your application
                                            DO NOT DISTRIBUTE

                                            DO NOT DISTRIBUTE

                                            DO NOT DISTRIBUTE



50
Build Zero-Trust Interfaces                  DO NOT DISTRIBUTE

Assume exposed APIs/services will be attacked
                                     DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE

•    Never trust the interface to provide cleanNOT DISTRIBUTE
                                             DO data,
     legal calls, or valid requests
                                             DO NOT DISTRIBUTE
•    Authenticate (AuthN) interfaces when ever
                                          DO NOT DISTRIBUTE
     possible
•    Don‟t forget AuthZ (authorization)      DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE

                                             DO NOT DISTRIBUTE



51
Don‟t Rely on Others                     DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE

Every piece of software has exploitable DO NOT DISTRIBUTE
                                        defects!
                                         DO NOT DISTRIBUTE

Don‟t assume other developers wrote secure DISTRIBUTE
                                     DO NOT code.

                                         DO NOT DISTRIBUTE

                                     again.
Check, re-check and check again…and DO NOT DISTRIBUTE
                                         DO NOT DISTRIBUTE

                                         DO NOT DISTRIBUTE



52
Thank You                                         DO NOT DISTRIBUTE

            Rafal Los                             DO NOT DISTRIBUTE
            Twitter: @RafalLos
                                DO NOT DISTRIBUTE
            Email: Rafal@HP.com
            Direct: +1 (765) 247 - 2325
                                DO NOT DISTRIBUTE
            Blogs:
                                 DO NOT DISTRIBUTE
            “Following the White Rabbit”
            http://www.communities.hp.com/securitysoftware/blogs/rafal/default.aspx
            “Digital Soapbox”                     DO NOT DISTRIBUTE
            http://preachsecurity.blogspot.com

                                DO NOT DISTRIBUTE
            Oh! … and I work in the
            HP Application Security Center (ASC)
                                DO NOT DISTRIBUTE

                                                  DO NOT DISTRIBUTE



53

More Related Content

More from Rafal Los

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkRafal Los
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsRafal Los
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 PublicRafal Los
 

More from Rafal Los (19)

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
 
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 TalkA Laugh RIAt -- OWASP 2009 Web 2.0 Talk
A Laugh RIAt -- OWASP 2009 Web 2.0 Talk
 
Creating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web ApplicationsCreating Practical Security Test-Cases for Web Applications
Creating Practical Security Test-Cases for Web Applications
 
Total Browser Pwnag3 V1.0 Public
Total Browser Pwnag3   V1.0 PublicTotal Browser Pwnag3   V1.0 Public
Total Browser Pwnag3 V1.0 Public
 

Recently uploaded

Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 

Recently uploaded (20)

Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 

Sans Feb 2010 - When Web 2 0 Attacks v3.3

  • 1. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE When Web 2.0 DO NOT DISTRIBUTE Attacks! DO NOT DISTRIBUTE Technology gone terribly wrong. DO NOT DISTRIBUTE Rafal M. Los HP -- ASC DO NOT DISTRIBUTE rev 4 1 7 February 2010
  • 2. Fire! … Aim! Ready? DO NOT DISTRIBUTE Question 1: Web 2.0 content is being developed DO NOT DISTRIBUTE primarily by the same developers that DO NOT DISTRIBUTE write traditional web code. True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: Everyone understands the idea of “Web 2.0” and there are concrete standards. DO NOT DISTRIBUTE True or False? DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 3: Your company has deployed “Web DO NOT DISTRIBUTE 2.0 stuff” already. True or False? 2
  • 3. Answers… DO NOT DISTRIBUTE Question 1: False! Web 2.0 is being developed in DO NOT DISTRIBUTE a large part not by traditional developers,NOT DISTRIBUTE DO but by “marketing or media folks”… DO NOT DISTRIBUTE DO NOT DISTRIBUTE Question 2: False! Ask 2 different people to define “Web 2.0”… listen to their answers. DISTRIBUTE DO NOT DO NOT DISTRIBUTE Question 3: (most likely) True! … and if you DISTRIBUTE DO NOT don‟t know it, it‟s even worse. DO NOT DISTRIBUTE 3
  • 4. The Hinges DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 4
  • 5. Understanding Web 2.0 Motivations DO NOT DISTRIBUTE DO NOT DISTRIBUTE 2 reasons “Web 2.0” happened… DO NOT DISTRIBUTE 1. Increased demand for processor cyclesDO NOT DISTRIBUTE 2. Increased demand for bandwidth DO NOT DISTRIBUTE DO NOT DISTRIBUTE What happened… DO NOT DISTRIBUTE • Logic moved from server  client DO NOT DISTRIBUTE • Invention of asynchronous transaction NOT DISTRIBUTE DO • Browser becomes a “fat client” 5
  • 6. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Understanding the DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 6
  • 7. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 7
  • 8. Attack Surface DO NOT DISTRIBUTE Total addressable (attackable) surface area DISTRIBUTE DO NOT DO NOT DISTRIBUTE Inputs DO NOT DISTRIBUTE Outputs DO NOT DISTRIBUTE APIs DO NOT DISTRIBUTE Functions (interactions) DO NOT DISTRIBUTE Functions (services) DO NOT DISTRIBUTE … DO NOT DISTRIBUTE 8
  • 9. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Exploiting a bigger DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE attack surface DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 9
  • 10. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users love to click stuff … DO NOT DISTRIBUTE Hackers love users who click stuff. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 10
  • 11. Exploiting Weaknesses Users DO NOT DISTRIBUTE Everyone‟s favorite  Click-Jacking DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DISTRIBUTE DO NOT “Click the DO NOT DISTRIBUTE red dots!” DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 11
  • 12. Exploiting Weaknesses Users DO NOT DISTRIBUTE DO NOT DISTRIBUTE HIDDEN BUTTON DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE <a href=“http://evilsite.com/exploit.js> ……. DO NOT DISTRIBUTE Click the DO NOT DISTRIBUTE This is an exploit page, hidden UNDER red dots? the cool new game that everyone is playing! DO NOT DISTRIBUTE DO NOT DISTRIBUTE 12
  • 13. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE The line between code | data DO NOT DISTRIBUTE has become blurred… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 14
  • 14. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE SoMe (Social Media) sites allow active content… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 15
  • 15. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE What is the difference? DO NOT DISTRIBUTE DO NOT DISTRIBUTE code <script type="text/javascript“></script> DO NOT DISTRIBUTE <style type="text/css" title="currentStyle" media="screen"> @import "/001/001.css"; </style> DO NOT DISTRIBUTE DO NOT DISTRIBUTE data DO NOT DISTRIBUTE <![CDATA[CHEVRON 0302550]]></name><address><![CDATA[1298 HOWARD ST]]></address><city><![CDATA[SAN DO NOT DISTRIBUTE FRANCISCO]]></city><stateProvince><![CDATA[CA]]></stateProvince><postalCod e><![CDATA[94103]]></postalCode><country><![CDATA[US]]></country><brand>< DO NOT DISTRIBUTE ![CDATA[CHEVRON]]></brand><phone 16
  • 16. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE DO NOT DISTRIBUTE Very few sites are static DO NOT DISTRIBUTE DO NOT DISTRIBUTE Most site/applications mix code | data at will DISTRIBUTE DO NOT DO NOT DISTRIBUTE  How do developers differentiate? DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Data  static information DO NOT DISTRIBUTE • Code  script or program modifications 17
  • 17. Exploiting Weaknesses Rich Content DO NOT DISTRIBUTE Users (victims) will copy/paste without knowing the DO NOT DISTRIBUTE consequences DO NOT DISTRIBUTE Pimp-My-Profile.com DO NOT DISTRIBUTE is littered with ready- to-paste crap. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Don’t you just want to grab the BeSocial DO NOT DISTRIBUTE toolbar? 18
  • 18. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE is the arch-enemyDO NOT DISTRIBUTE DO NOT DISTRIBUTE of security DO NOT DISTRIBUTE DO NOT DISTRIBUTE 19
  • 19. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE Functionality gone totally wrong… DO NOT DISTRIBUTE DO NOT DISTRIBUTE FLASH OBJECT + CrossDomain.xml - security = DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 20
  • 20. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Google  filetype:swf inurl:xml DO NOT DISTRIBUTE DO NOT DISTRIBUTE Check CrossDomain.xml for something DO NOT DISTRIBUTE like: <allow-access-from domain=“*”/> DO NOT DISTRIBUTE DO NOT DISTRIBUTE Result: A simple programming “oops” creates a DO NOT DISTRIBUTE catastrophic failure in extended functionality! DO NOT DISTRIBUTE 21
  • 21. Exploiting Weaknesses Functionality DO NOT DISTRIBUTE DO NOT DISTRIBUTE Each additional layered component is another DO NOT DISTRIBUTE chance to screw up security DO NOT DISTRIBUTE DO NOT DISTRIBUTE Could you live without… DO NOT DISTRIBUTE • Google? DO NOT DISTRIBUTE • Multiple-app integrations DO NOT DISTRIBUTE (Google+Twitter+Facebook+…?) DO NOT DISTRIBUTE • Flash? 22
  • 22. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Some really bad DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE [real life] code DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 23
  • 23. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 24
  • 24. Client-Side Logic Manipulation DO NOT DISTRIBUTE try { DO NOT DISTRIBUTE strURI = ExternalInterface.call("getLittleServer"); … DO NOT DISTRIBUTE n1 = parseInt(strN1); n2 = parseInt(strN2); DO NOT DISTRIBUTE nAlgo = n1 * n2 * nScore + nScore; strToPass = nGameId + "," + nScore + "," + nTime + "," + nAlgo; DISTRIBUTE DO NOT encrypted_data = MD5.hash(strToPass); DO NOT DISTRIBUTE submission_data = "score=" + nScore + "|gameId=" + nGameId + "|timestamp=" + nTime + "|key=" + encrypted_data; variables = new URLVariables(); DO NOT DISTRIBUTE variables.attr1 = submission_data; DO NOT DISTRIBUTE request = new URLRequest(strURI); request.data = variables; DO NOT DISTRIBUTE navigateToURL(request, "_self"); return submission_data; … 25
  • 25. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 26
  • 26. Client-Side Data Validations DO NOT DISTRIBUTE … button 9 { DO NOT DISTRIBUTE on (release, keyPress '<Enter>') { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/778.html', ''); } else { DO NOT DISTRIBUTE if (password eq ' PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/781.html', ''); NOT DO DISTRIBUTE } else { if (password eq ' PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/783.html', ''); } else { if (password eq „ PASSWORD ') { DO NOT DISTRIBUTE getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/771.html', ''); } else { DO NOT DISTRIBUTE if (password eq „ PASSWORD ') { getURL('http://www.SomeCompany.tld/client_pages/CUSTOMER_REMOVED/799.html', ''); } else { DO NOT DISTRIBUTE … 27
  • 27. What Could Possibly Go Wrong? DISTRIBUTE DO NOT … DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Manipulation of business logic DO NOT DISTRIBUTE • Client-side data validations DO NOT DISTRIBUTE • Exposure of sensitive information DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 28
  • 28. Thinking Web 2.0 Offense DO NOT DISTRIBUTE private static function query(arg0:String, arg1:flash.events::EventDispatcher = null) { DO NOT DISTRIBUTE … trace("2:MySQL Query: " + statement); DO NOT DISTRIBUTE if(this.connection == null) DO NOT DISTRIBUTE { try { DO NOT DISTRIBUTE this.connection = new Connection(irrcrpt("dqgurjudgh.frp", 3), 3306, irrcrpt("icog_nqikp", 2), irrcrpt("d1su4y", 1), irrcrpt("jdph", 3)); DO NOT DISTRIBUTE } catch (e:SecurityError) { DO NOT DISTRIBUTE var loc1:* = e; statement = null; DO NOT DISTRIBUTE Alert.show(statement.message, "Security Error"); … DO NOT DISTRIBUTE } 29
  • 29. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE LIVE decompile of a DO NOT DISTRIBUTE DO NOT DISTRIBUTE flash fail ! (…err file) DO NOT DISTRIBUTE DO NOT DISTRIBUTE … wait, I thought you couldn’t do that? DO NOT DISTRIBUTE DO NOT DISTRIBUTE 30
  • 30. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun with Web 2.0 DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE … “highly interactive content” NOT DISTRIBUTE DO DO NOT DISTRIBUTE 31
  • 31. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 32
  • 32. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE We insert this: DO NOT DISTRIBUTE "><frame DO NOT DISTRIBUTE src=http://google.com></ifr DO NOT DISTRIBUTE ame><script>alert(docume nt.cookie)</script> DISTRIBUTE DO NOT DO NOT DISTRIBUTE PLAIN => PostalCode="><frame DO NOT DISTRIBUTE Let’s ENCODE it to get past black-listing filters… %22%3e%3cframe%20src%3dhttp%3a%2f%2fgoogle.com%3e DO NOT DISTRIBUTE %3c%2fiframe%3e%3cscript%3ealert(document.cookie)%3c%2f script%3e 33
  • 33. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 34
  • 34. Attacking Web 2.0 Sites  MapQuest! DO NOT DISTRIBUTE … B-O-O-M DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 35
  • 35. What Did We Just Learn? DO NOT DISTRIBUTE Web 2.0 isn‟t some magical new “thing”; it‟s aDISTRIBUTE DO NOT conglomeration of old technologies… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE …and yes, all the DO NOT DISTRIBUTE old bugs are DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 36
  • 36. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Fun new ways to fail DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE or: new bad ideas DO NOT DISTRIBUTE 37
  • 37. Specification for Offline Web Apps DISTRIBUTE DO NOT From W3.org  http://www.w3.org/TR/offline-webapps/DISTRIBUTE DO NOT DO NOT DISTRIBUTE Users of typical online Web applications are only able to use the applications while they have a connection to the DO NOT DISTRIBUTE Internet. When they go offline, they can no longer check their e-mail, browse their calendar appointments... DISTRIBUTE DO NOT DO NOT DISTRIBUTE The HTML 5 specification provides two solutions NOT DISTRIBUTE DO to this: a SQL-based database API for storing data locally, and an offline application HTTP cache for ensuring NOT DISTRIBUTE DO applications are available even when the user is not DO NOT DISTRIBUTE connected to their network. 39
  • 38. Options in Web 2.0 Land DO NOT DISTRIBUTE Remote System (Application) DO NOT DISTRIBUTE Would you rather hack DISTRIBUTE DO NOT this… Database Application … or this?DISTRIBUTE DO NOT Hardened Defenses DO NOT DISTRIBUTE DO NOT DISTRIBUTE Browser Internet DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Local Local App Database Cache 40 (SQLite)
  • 39. Simple Problems with Offline Apps DISTRIBUTE DO NOT DO NOT DISTRIBUTE Online Application Offline Application DO NOT DISTRIBUTE Remote data storage Local data storage Enterprise DB typically “secured” DO NOT DISTRIBUTE Local DB “forgotten” Enterprise DB difficult to access Local DB … on local filesystem DO NOT DISTRIBUTE Attack trips security mechanisms Few local security mechanisms Remote Logic Local “Cached” Logic NOT DISTRIBUTE DO Manipulate at run-time, remotely Manipulate code, locally DISTRIBUTE DO NOT Remote validation of logic Fully control/manipulate logic DO NOT DISTRIBUTE DO NOT DISTRIBUTE 41
  • 40. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE First, came the applications… DO NOT DISTRIBUTE DO NOT DISTRIBUTE They were attacked…a DISTRIBUTE DO NOT lot… DO NOT DISTRIBUTE …then hardened. DO NOT DISTRIBUTE DO NOT DISTRIBUTE 42
  • 41. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Users wanted more. DO NOT DISTRIBUTE Applications were DO NOT DISTRIBUTE extended via APIs. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 43
  • 42. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 3rd parties DO NOT DISTRIBUTE built DO NOT DISTRIBUTE interfaces DOusing the NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 44
  • 43. (de)Evolution of SoMe… DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE Hackers DO NOT DISTRIBUTE attacked DO NOT DISTRIBUTE users via DOapplication NOT DISTRIBUTE DOAPIs NOT DISTRIBUTE DO NOT DISTRIBUTE 45
  • 44. SoMe Attacked Via Extension DO NOT DISTRIBUTE FaceBook still fighting worms and hacks against DO NOT DISTRIBUTE users via extensions (or plug-ins) built DO NOT DISTRIBUTE using legal API extensions (Koobface?) DO NOT DISTRIBUTE DO NOT DISTRIBUTE Twitter API continually being abused by worms and “bots” to spam and seed trojan malware NOT DISTRIBUTE DO DO NOT DISTRIBUTE Why attack a hardened resource/site when a DISTRIBUTE DO NOT hacker can use APIs to write malicious plug-ins? DO NOT DISTRIBUTE 46
  • 45. DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE So what do we do DO NOT DISTRIBUTE DO NOT DISTRIBUTE about it? DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 47
  • 46. The 3 Keys to Success DO NOT DISTRIBUTE DO NOT DISTRIBUTE o Perform all control logic server-side DO NOT DISTRIBUTE o Validate all data at ingress & egress DO NOT DISTRIBUTE o Build zero-trust interfaces DO NOT DISTRIBUTE DO NOT DISTRIBUTE … and don‟t rely on others- remember, “the user DO NOT DISTRIBUTE will always choose dancing bears over security”. - DO NOT DISTRIBUTE Schenier DO NOT DISTRIBUTE 48
  • 47. Perform All Control Logic Server-Side DO NOT DISTRIBUTE Application-critical logic must always beDO NOT DISTRIBUTE performed on the server side, where it is less likely to be DO NOT DISTRIBUTE manipulated DO NOT DISTRIBUTE DO NOT DISTRIBUTE • You can trust code once it leaves your control DO NOT DISTRIBUTE • Web code can and will be reverse-engineered • Never push critical information (passwords, DISTRIBUTE DO NOT connection strings) to the client DO NOT DISTRIBUTE DO NOT DISTRIBUTE 49
  • 48. Validate All Data at Ingress/Egress DISTRIBUTE DO NOT Validate all data as it comes into your application, DO NOT DISTRIBUTE and also as it leaves DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Assume all input is malicious DO NOT DISTRIBUTE • Mix white-list, black-list  minimum required DO NOT DISTRIBUTE • Know what‟s leaving your application DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 50
  • 49. Build Zero-Trust Interfaces DO NOT DISTRIBUTE Assume exposed APIs/services will be attacked DO NOT DISTRIBUTE DO NOT DISTRIBUTE • Never trust the interface to provide cleanNOT DISTRIBUTE DO data, legal calls, or valid requests DO NOT DISTRIBUTE • Authenticate (AuthN) interfaces when ever DO NOT DISTRIBUTE possible • Don‟t forget AuthZ (authorization) DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 51
  • 50. Don‟t Rely on Others DO NOT DISTRIBUTE DO NOT DISTRIBUTE Every piece of software has exploitable DO NOT DISTRIBUTE defects! DO NOT DISTRIBUTE Don‟t assume other developers wrote secure DISTRIBUTE DO NOT code. DO NOT DISTRIBUTE again. Check, re-check and check again…and DO NOT DISTRIBUTE DO NOT DISTRIBUTE DO NOT DISTRIBUTE 52
  • 51. Thank You DO NOT DISTRIBUTE Rafal Los DO NOT DISTRIBUTE Twitter: @RafalLos DO NOT DISTRIBUTE Email: Rafal@HP.com Direct: +1 (765) 247 - 2325 DO NOT DISTRIBUTE Blogs: DO NOT DISTRIBUTE “Following the White Rabbit” http://www.communities.hp.com/securitysoftware/blogs/rafal/default.aspx “Digital Soapbox” DO NOT DISTRIBUTE http://preachsecurity.blogspot.com DO NOT DISTRIBUTE Oh! … and I work in the HP Application Security Center (ASC) DO NOT DISTRIBUTE DO NOT DISTRIBUTE 53