SlideShare a Scribd company logo

42 minutes to secure your code....

Sebastien Gioria
Sebastien Gioria

Security is important for Devs. You need to add in depth capability to secure Apps, and for this, this presentation give you simply principles to add it to a Java App. This slides come from the Java User Group Summer Camp 2015 in France

Technology
1 of 79
Download to read offline
42  minutes  to  secure  your  code…. Sébastien Gioria sebastien.gioria@owasp.org OWASP  France  Leader  &   Evangelist JUG  Summer  Camp 18  Septembre 2015 LaRochelle -­‐ France
Agenda • OWASP  ?   • Secure  Coding  ?   • 10  simply  principles  to  secure  code • Controlling  code  security   • Q&A  Beer  J 2
2 http://www.google.fr/#q=sebastien   gioria ‣OWASP  France  Leader  &  Founder  &   Evangelist,   ‣OWASP  ISO  Project  &  OWASP  SonarQube Project   Leader ‣Innovation  and  Technology  @Advens  &&     Application  Security  Expert Twitter  :@SPoint/@OWASP_France/@AppSecAcademy2 ‣Application  Security  group  leader  for  the   CLUSIF ‣Proud  father  of  youngs  kids  trying  to  hack  my   digital  life.   ‣Legal expert    for  Cour  of  Appeal of  Poitiers
4 Learn Contract Testing Design MaturityCode
OWASP  publications  !   • Publications  :   – Top10  Application  Security   Risk  ;  bestseller – Testing  Guide  ;  second   bestseller – OWASP  Cheat  Sheets  !!!   – Application  Security   Verification  Standard  ;  not  the   best  well  known  document – OpenSAMM :  improve  your   application  security – OWASP  Secure  Contract   Annex   – OWASP  Top10  for  ...  (mobile,   cloud,  privacy,  ...) • Tools  /  API – OWASP  Zed  Attack  Proxy  ;   replace  WebScarab with  a  lot   of  new  functionalities – OWASP  ESAPI  :  API  for   securing  your  Software – OWASP  AppSensor ;  a  IDS/IPS   in  the  heart  of  your  software – OWASP  Cornucoppia ;   application  security  play  with   cards – OWASP  Snake  and  ladder  :   play  Top10 and  many  more....
Secure  Coding  ?  
Yes,  this  is  you  !  
Some  Stats.... (c)  IBM  March  2014
Hackers  are  clever
Money, Money, Money
Be accurate
@Inject EntityManager em; @Transactional public  User  updateEmail(String   username,String email)  { TypedQuery<User>   q  =  em.createQuery( String.format(”update    Users  set  email  ‘%s’  where  username   =   '%s’",  email,  username), User.class); return  q.getSingleResult(); }
Parametrize !  don't Jeopardize !!! String  eMail=  request.getParameter("email")   ; String  userName=   request.getParameter("username"); //SQL PreparedStatement pstmt =  con.prepareStatement("update    Users  set  email  =  ?  where   username   =    ?);   pstmt.setString(1,   eMail);   pstmt.setString(2,   userName); //JPA Query  safeQuery =  entityManager.createQuery( "update  Users  u  SET  u.email =  ?1  WHERE  u.username =  ?2"); safeQuery.setParameter(1,   eMail)   ; safeQuery.setParameter(2,   userName); safeQuery.executeUpdate();
Moral  !   NEVER  re-­implements   security mechanisms  that  are   approuved in  a  core  library  !! This  is  the  same  thing  for  crypto  and  other  mechanisms  that  are  not  security....
public final class InsertEmployeeActionextends Action{ public ActionForward execute(ActionMappingmapping,ActionForm form, HttpServletRequest request,HttpServletResponseresponse)throws Exception{ Obj1 service= new Obj1(); ObjForm objForm = (ObjForm) form; InfoADT adt = new InfoADT(); BeanUtils.copyProperties(adt,objForm); String searchQuery= objForm.getqueryString(); String payload = objForm.getPayLoad(); try { service.doWork(adt); / /do somethingwith thedata ActionMessages messages = new ActionMessages(); ActionMessagemessage= new ActionMessage("success",adt.getName()); messages.add(ActionMessages.GLOBAL_MESSAGE,message); saveMessages(request, messages ); request.setAttribute("Record",adt); return (mapping.findForward("success")); } catch( DatabaseExceptionde) { ActionErrors errors = new ActionErrors(); ActionError error = new ActionError("error.employee.databaseException" + “Payload:“+payload); errors.add(ActionErrors.GLOBAL_ERROR,error ); saveErrors(request,errors ); return (mapping.findForward("error: "+ searchQuery)); } } } Spot  the  vuln(s)  !
XSS  risks • Session  Hijacking • Site  Defacement • Network  Scanning • Undermining  CSRF  Defenses • Site  Redirection/Phishing • Load  of  Remotely  Hosted  Scripts • Data  Theft • Keystroke  Logging • Attackers  using  XSS  more  frequently
<
&lt;
Encoding  Output Characters Decimal Hexadecimal HTML  Character   Set Unicode "  (double   quotation   marks) &#34; &#x22; &quot; u0022 '  (single   quotation  mark) &#39; &#x27; &apos; u0027 &  (ampersand) &#38; &#x26; &amp; u0026 <  (less  than) &#60; &#x3C; &lt; u003c >  (greater  than) &#62; &#x3E; &gt; u003e Safe  ways  to  represent  dangerous  characters  in  a  web  page
OWASP  Java  Encoder  Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No  third  party  libraries  or  configuration  necessary • This  code  was  designed  for  high-­availability/high-­ performance  encoding  functionality • Simple  drop-­in  encoding  functionality • Redesigned  for  performance • More  complete  API  (uri and  uri component  encoding,   etc)  in  some  regards. • Java  1.5+
(3)  Validate  All  Inputs
OWASP  HTML  Sanitizer  Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML  Sanitizer  written  in  Java  which  lets  you  include  HTML   authored  by  third-­parties  in  your  web  application  while  protecting   against  XSS.   • This  code  was  written  with  security  best  practices  in  mind,  has  an   extensive  test  suite,  and  has  undergone  adversarial  security  review   https://code.google.com/p/owasp-­java-­html-­ sanitizer/wiki/AttackReviewGroundRules.   • It  allows  for  simple  programmatic  POSITIVE  policy  configuration.   No  XML  config.   • Actively  maintained  by  Mike  Samuel  from  Google's  AppSec team!   • This  is  code  from  the  Caja project  that  was  donated  by  Google.  It   is  rather  high  performance  and  low  memory  utilization.  
• Upload  Verification – Filename   and  Size  validation   +  antivirus • Upload  Storage – Use  only  trusted  filenames  +  separate  domain • Beware  of  "special"  files – "crossdomain.xml"    or    "clientaccesspolicy.xml".   • Image  Upload  Verification – Enforce  proper  image  size  limits – Use  image  rewriting  libraries – Set  the  extension  of  the  stored  image  to  be  a  valid  image  extension – Ensure  the  detected  content  type  of  the  image  is  safe • Generic  Upload  Verification – Ensure  decompressed   size  of  file  <  maximum  size   – Ensure  that  an  uploaded   archive  matches  the  type  expected  (zip,  rar) – Ensure  structured  uploads   such  as  an  add-­on  follow  proper  standard
What  is  Access  Control? • Authorization  is  the  process  where  a  system  determines if  a  specific  user  has  access  to  a  resource • Permission:  Represents  app  behavior  only • Entitlement:  What  a  user  is  actually  allowed  to  do • Principle/User:  Who/what  you  are  entitling • Implicit  Role:    Named  permission,  user  associated – if  (user.isRole(“Manager”));; • Explicit  Role:  Named  permission,  resource  associated – if  (user.isAuthorized(“report:view:3324”);;
Access  Control  Anti-­Patterns • Hard-­coded  role  checks  in  application  code • Lack  of  centralized  access  control  logic • Untrusted  data  driving  access  control  decisions • Access  control  that  is  “open  by  default” • Lack  of  addressing  horizontal  access  control  in  a   standardized  way  (if  at  all) • Access  control  logic  that  needs  to  be  manually   added  to  every  endpoint  in  code • Access  Control  that  is  “sticky”  per  session • Access  Control  that  requires  per-­user  policy
Access  Controls  Impact • Loss  of  accountability – Attackers  maliciously  execute  actions  as  other  users – Attackers  maliciously  execute  higher  level  actions • Disclosure  of  confidential  data – Compromising  admin-­‐level  accounts  often  results  in   access  to  user’s  confidential  data • Data  tampering – Privilege  levels  do  not  distinguish  users  who  can  only   view  data  and  users  permitted  to  modify  data
void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } HardCode Auth Rule
void editProfile(User u, EditUser eu) { if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { // do stuff } } Policy  evolution....
36
Hard-­‐Coded  Roles • Makes  “proving”  the  policy  of  an  application   difficult  for  audit  or  Q/A  purposes • Any  time  access  control  policy  needs  to   change,  new  code  need  to  be  pushed • RBAC(http://en.wikipedia.org/wiki/Role-­‐ based_access_control)  is  often  not  granular   enough   • Fragile,  easy  to  make  mistakes
Never  Depend  on  Untrusted  Data • Never  trust  request  data  for  access  control  decisions • Never  make  access  control  decisions  in  JavaScript • Never  make  authorization  decisions  based  solely  on:   hidden  fields cookie  values form  parameters URL  parameters anything  else  from  the  request • Never  depend  on  the  order  of  values  sent  from  the  client
Best  Practice:  Centralized  AuthZ • Define  a  centralized  access  controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access  control  decisions  go  through  these  simple   API’s • Centralized  logic  to  drive  policy  behavior  and   persistence • May  contain  data-­‐driven  access  control  policy   information
int userId= request.getInt(”userID"); //Best to get it from sessionID.... if (validateUser(userId) ) { if ( currentUser.isPermitted( ”module:function:" + userId) ) { log.info(userId + “are permitted to access ."); doStuff(userId); } else { log.info(userId + “ is notallowed to access!"); throw new AuthorizationException (userId); } } Should  be  like  this...
Establish  Authentication  and   Identity  Controls
1) Do  not  limit  the  type  of  characters  or  length   of  user  password  within  reason • Be  wary  of  systems  that  allow  unlimited  password   sizes  (Django DOS  Sept  2013) • 2)  Use  a  cryptographically  strong  credential-­‐specific   salt • 3)  Impose  difficult  verification   • on  the  attacker  and  defender  :  use  PBKDF2  or   script • on  only the  attacker  :  use  HMAC-­‐SHA-­‐256  
2)  Use  a  cryptographically  strong  credential-­‐ specific  salt • protect(  [salt]  +  [password]  ); • Use  a  32char  or  64char  salt  (actual  size  dependent   on  protection  function); • Do  not  depend  on  hiding,  splitting,  or  otherwise   obscuring  the  salt
3a)  Impose  difficult  verification  on  the  attacker   and  defender •PBKDF2([salt]  +  [password],  c=140,000);   •Use  PBKDF2 when  FIPS  certification  or  enterprise   support  on  many  platforms  is  required •Use  Scrypt where  resisting  any/all  hardware   accelerated  attacks  is  necessary  but  enterprise  support   and  scale  is  not.  (bcrypt is  also  a  reasonable  choice)
3b)  Impose  difficult  verification  on  only the   attacker   •HMAC-­‐SHA-­‐256(  [private  key],  [salt]  +  [password]  ) •Protect  this  key  as  any  private  key  using  best  practices •Store  the  key  outside  the  credential  store •Build  the  password-­‐to-­‐hash  conversion  as  a  separate   webservice (cryptograpic isolation).
Password1!
Require  2  identity  questions   <Last  name,  account  number,  email,  DOB <Enforce  lockout  policy Ask  one  or  more  good  security  questions <https://www.owasp.org/index.php/Choosing_and_Using_Security_ Questions_Cheat_Sheet Send  the  user  a  randomly  generated  token  via  out-­‐of-­‐band <app,  SMS  or  token   Verify  code  in  same  web  session <Enforce  lockout  policy Change  password <Enforce password policy Changing  Password
//import  java.security and  java.crypto and  java.util needed //  Based on  recommendation from NIST  SP800-­‐132.pdf public  class  PasswordEncryptionService { public  boolean authenticate(String  attemptedPassword,  byte[]  encryptedPassword,  byte[]  salt) throws NoSuchAlgorithmException,  InvalidKeySpecException { byte[]  encryptedAttemptedPassword =  getEncryptedPassword(attemptedPassword,  salt); return  Arrays.equals(encryptedPassword,  encryptedAttemptedPassword); } public  byte[]  getEncryptedPassword(String  password,  byte[]  salt) throws NoSuchAlgorithmException,  InvalidKeySpecException { String  algorithm =  "PBKDF2WithHmacSHA1’’;    //  SHA1  recommende by  nist int derivedKeyLength =  160; int iterations =  20000;  //  minimum  1000  its from NIST KeySpec spec =  new  PBEKeySpec(password.toCharArray(),  salt,  iterations,  derivedKeyLength); SecretKeyFactory f  =  SecretKeyFactory.getInstance(algorithm); return  f.generateSecret(spec).getEncoded(); } public  byte[]  generateSalt()  throws NoSuchAlgorithmException { SecureRandom random =  SecureRandom.getInstance("SHA1PRNG"); byte[]  salt =  new  byte[8]; random.nextBytes(salt); return  salt; SecurePasswordStorage
• Authentication  Cheat  Sheet – https://www.owasp.org/index.php/Authentication_Cheat_Sheet • Password  Storage  Cheat  Sheet – https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • Forgot  Password  Cheat  Sheet – https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • Session  Management  Cheat  Sheet – https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • ASVS  AuthN and  Session  Requirements – https://www.owasp.org/index.php/OWASP_Application_Security_Verific ation_Standard_Project • Choose  Security  Questions – https://www.owasp.org/index.php/Choosing_and_Using_Security_Quest ions_Cheat_Sheet
• What  benefits  do  HTTPS  provide? – Confidentiality,  Integrity  and  Authenticity – Confidentiality:  Spy  cannot  view  your  data – Integrity:  Spy  cannot  change  your  data – Authenticity:  Server  you  are  visiting  is  the   right  one
Encryption  in  Transit  (HTTPS/TLS) • HTTPS  configuration  best  practices – https://www.owasp.org/index.php/Transport_L ayer_Protection_Cheat_Sheet – https://www.ssllabs.com/projects/best-­ practices/
• Certificate  Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet • HSTS  (Strict  Transport  Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-­‐Transport-­‐Security:   max-­‐age=31536000 • Forward  Secrecy – https://whispersystems.org/blog/asynchronous-­‐security/ • Certificate  Creation  Transparency – http://certificate-­‐transparency.org • Browser  Certificate  Pruning – Etsy/Zane  Lackey
HSTS  – Strict  Transport  Security • HSTS  (Strict  Transport  Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-­‐Transport-­‐Security:  max-­‐age=31536000;   includeSubdomains • Forces  browser  to  only  make  HTTPS  connection  to  server • Must  be  initially  delivered  over  a  HTTPS  connection
Intrusion  Detection  
Logs  and  errors
Risks  ?   • Error messages  can disclose information   valuable to  an  attacker • Failure can lead  to  an  unhandled state,  which can lead  to  denial of  service  – Unhandled failures can lead  to  malicious behavior being unnoticed
Fail  Securely  !   • Not  Just  catching  exception • Not  Just  logging  exception/errors Handle  all  failures  securely  and  return  the   system  to  a  proper  state  
Design  Patterns • Don't assume  that an  error condition  won't occur • It's what the  attackers want you to  assume   • Errors are  like accidents,  you don't expect them,  but  they happen • Any code  that can throw an  exception  should be in  a  Try Block   • Handle all  possible  exceptions   • Use  Finally Blocks:  leaving files  open  or  exceptions  defined after use  creates resource leaks and  possible  system  failure • Short  specific Try Blocks  give you more  control  over  the   error state  
App  Layer  Intrusion  Detection • Great  detection  points  to  start  with – Input  validation  failure  server  side  when  client  side   validation  exists – Input  validation  failure  server  side  on  non-­user   editable  parameters  such  as  hidden  fields,   checkboxes,  radio  buttons  or  select  lists – Forced  browsing  to  common  attack  entry  points   – Honeypot  URL  (e.g.  a  fake  path  listed  in  robots.txt like  e.g.  /admin/secretlogin.jsp)  
App  Layer  Intrusion  Detection • Others – Blatant  SQLi or  XSS  injection  attacks – Workflow  sequence  abuse  (e.g.  multi-­part  form  in   wrong  order) – Custom  business  logic  (e.g.  basket  vs catalogue   price  mismatch) – Further  Study: • “libinjection:  from  SQLi to  XSS” – Nick  Galbreath • “Attack  Driven  Defense”  – Zane  Lackey
OWASP  AppSensor (Java) • Project  and  mailing  list   https://www.owasp.org/index.php/OWASP_A ppSensor_Project • Four-­page  briefing,  Crosstalk,  Journal  of   Defense  Software  Engineering • http://www.crosstalkonline.org/storage/issue-­ archives/2011/201109/201109-­Watson.pdf
Security  Requirements
OWASP  ASVS https://www.owasp.org/index.php/C ategory:OWASP_Application_Security _Verification_Standard_Project
Bad  Design
Security  Architecture  and  Design Strategic  effort • Business,  technical  and  security  stakeholders   • Functional  and  non-­‐functional  security  properties • Different  flavors/efforts  based  on  SDL/culture Example:  state • Should  you  use  the  request?   • Should  you  use  a  web  session?   • Should  you  use  the  database?   These  decisions  have  dramatic  security  implications
Trusting  Input • Treating  all  client  side  data  as  untrusted  is   important,  and  can  be  tied  back  to  trust   zones/boundaries  in  design/architecture.   • Ideally  we  want  to  consider  all  tiers  to  be   untrusted  and  build  controls  at  all  layers,   but  this  is  not  practical  or  even  possible  for   some  very  large  systems.
Security  Architecture  and  Design Additional  Considerations • Overall  Architecture/Design • Trust  Zones/Boundaries/Tiers 1. User  Interface,    API  (Webservices),   2. Business  Layer  (Custom  Logic),   3. Data  Layer  (Keys  to  the  Kingdom) 4. What  sources  can/cannot  be  trusted? • What  is  inside/outside  of  a  trust  zone/boundary • Specific  controls  need  to  exist  at  certain  layers • Attack  Surface
Controlling  code  in  one  picture
Pentest or  code  review  for   CISO   Top10 Web Pentest Code  Review A1-­‐Injection ++ +++ A2-­‐Broken  Authentication  and  Session   Management ++ + A3-­‐Cross-­‐Site  Scripting  (XSS) +++ +++ A4-­‐Insecure  Direct  Object  References + +++ A5-­‐Security  Misconfiguration + ++ A6-­‐Sensitive  Data  Exposure ++ + A7-­‐Missing  Function  Level  Access   Control + + A8-­‐Cross-­‐Site  Request  Forgery  (CSRF) ++ + A9-­‐Using  Components  with  Known   Vulnerabilities +++ A10-­‐Unvalidated  Redirects  and   Forwards + +
Pentesting and  code  review  for  a   developer
10  reasons to  use  .... • Written in  Java  J • Integrated with CI  Tools   (Jenkins/Hudson/Bamboo) • Modular (plugins  by  languages) • Developer tools • Dashboard • OWASP  project J • Open-­‐Source  (and  commercial  too)
• https://www.owasp.org/index.php/OWASP_S onarQube_Project Of  Course  !  
License 7 4 • @SPoint • sebastien.gioria@owasp.org
LAST  BUT  NOT  LEAST....
Lack  of  knowledge... String  myString =  "insecure"; myString.replace("i","1") //  do  Stuff
Good  Try...but...catch  J public  class  BadCatch { public  void mymethodErr1()  { try { //do  Stuff }  catch  (SecurityException se){ System.err.println (se); } } }
Nice  comments //  Pattern  to  match  the  string Pattern  myPattern =  "bword1W+(?:w+/W+){1,6}?word2b"; String  updated =  MYCONSTANT1.replaceAll(mypattern,  "$2"); //  i  iterate from 0  to  10 for  (int i=0;  i  <10  ;  i++)  { //  do  stuff myMethod(updated); }
Unit  testing • In  computer  programming,  unit  testing is a  software  testing method by  which individual units of  source  code,  sets  of  one  or  more  computer  program   modules  together with associated control  data,  usage  procedures,  and   operating  procedures,  are  tested to  determine whether they are  fit  for  use..   (c)  Wikipedia

Recommended

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 

Recommended

Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014CLUSIR INFONORD OWASP iot 2014
CLUSIR INFONORD OWASP iot 2014Sebastien Gioria
 
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...
Security Code Reviews. Does Your Code Need an Open Heart Surgery and The 6 Po...Sherif Koussa
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
OWASP
OWASPOWASP
OWASPPen Testeronyguy
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's lifeOWASP
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
(Un)safe Python
(Un)safe Python(Un)safe Python
(Un)safe PythonIvan Tsyganov
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]AngelGomezRomero
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPROWASP
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from ScratchDenis Kolegov
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet upViren Rajput
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
 

More Related Content

What's hot

[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's lifeOWASP
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]AngelGomezRomero
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPROWASP
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from ScratchDenis Kolegov
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 

What's hot (16)

OWASP
OWASPOWASP
OWASP
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
(Un)safe Python
(Un)safe Python(Un)safe Python
(Un)safe Python
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 

Similar to 42 minutes to secure your code....

ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet upViren Rajput
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudTobias Koprowski
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Phú Phùng
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversWithTheBest
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 

Similar to 42 minutes to secure your code.... (20)

ISO 27k talk for django meet up
ISO 27k talk for django meet upISO 27k talk for django meet up
ISO 27k talk for django meet up
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
Self-Protecting JavaScript: A Lightweight Approach to Enforcing Security Poli...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank Chavers
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 

More from Sebastien Gioria

2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer campSebastien Gioria
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSebastien Gioria
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015Sebastien Gioria
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobilesSebastien Gioria
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le CloudSebastien Gioria
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 

More from Sebastien Gioria (8)

La Sécurité des CMS ?
La Sécurité des CMS ? La Sécurité des CMS ?
La Sécurité des CMS ?
 
2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer camp
 
Securing your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FRSecuring your API and mobile application - API Connection FR
Securing your API and mobile application - API Connection FR
 
La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015La Quete du code source fiable et sécurisé - GSDAYS 2015
La Quete du code source fiable et sécurisé - GSDAYS 2015
 
2014 06-05-mozilla-afup
2014 06-05-mozilla-afup2014 06-05-mozilla-afup
2014 06-05-mozilla-afup
 
Sécurité des applications mobiles
Sécurité des applications mobilesSécurité des applications mobiles
Sécurité des applications mobiles
 
Securite des Applications dans le Cloud
Securite des Applications dans le CloudSecurite des Applications dans le Cloud
Securite des Applications dans le Cloud
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

42 minutes to secure your code....

  • 1. 42  minutes  to  secure  your  code…. Sébastien Gioria sebastien.gioria@owasp.org OWASP  France  Leader  &   Evangelist JUG  Summer  Camp 18  Septembre 2015 LaRochelle -­‐ France
  • 2. Agenda • OWASP  ?   • Secure  Coding  ?   • 10  simply  principles  to  secure  code • Controlling  code  security   • Q&A  Beer  J 2
  • 3. 2 http://www.google.fr/#q=sebastien   gioria ‣OWASP  France  Leader  &  Founder  &   Evangelist,   ‣OWASP  ISO  Project  &  OWASP  SonarQube Project   Leader ‣Innovation  and  Technology  @Advens  &&     Application  Security  Expert Twitter  :@SPoint/@OWASP_France/@AppSecAcademy2 ‣Application  Security  group  leader  for  the   CLUSIF ‣Proud  father  of  youngs  kids  trying  to  hack  my   digital  life.   ‣Legal expert    for  Cour  of  Appeal of  Poitiers
  • 5. OWASP  publications  !   • Publications  :   – Top10  Application  Security   Risk  ;  bestseller – Testing  Guide  ;  second   bestseller – OWASP  Cheat  Sheets  !!!   – Application  Security   Verification  Standard  ;  not  the   best  well  known  document – OpenSAMM :  improve  your   application  security – OWASP  Secure  Contract   Annex   – OWASP  Top10  for  ...  (mobile,   cloud,  privacy,  ...) • Tools  /  API – OWASP  Zed  Attack  Proxy  ;   replace  WebScarab with  a  lot   of  new  functionalities – OWASP  ESAPI  :  API  for   securing  your  Software – OWASP  AppSensor ;  a  IDS/IPS   in  the  heart  of  your  software – OWASP  Cornucoppia ;   application  security  play  with   cards – OWASP  Snake  and  ladder  :   play  Top10 and  many  more....
  • 7. Yes,  this  is  you  !  
  • 8. Some  Stats.... (c)  IBM  March  2014
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. @Inject EntityManager em; @Transactional public  User  updateEmail(String   username,String email)  { TypedQuery<User>   q  =  em.createQuery( String.format(”update    Users  set  email  ‘%s’  where  username   =   '%s’",  email,  username), User.class); return  q.getSingleResult(); }
  • 18. Parametrize !  don't Jeopardize !!! String  eMail=  request.getParameter("email")   ; String  userName=   request.getParameter("username"); //SQL PreparedStatement pstmt =  con.prepareStatement("update    Users  set  email  =  ?  where   username   =    ?);   pstmt.setString(1,   eMail);   pstmt.setString(2,   userName); //JPA Query  safeQuery =  entityManager.createQuery( "update  Users  u  SET  u.email =  ?1  WHERE  u.username =  ?2"); safeQuery.setParameter(1,   eMail)   ; safeQuery.setParameter(2,   userName); safeQuery.executeUpdate();
  • 19. Moral  !   NEVER  re-­implements   security mechanisms  that  are   approuved in  a  core  library  !! This  is  the  same  thing  for  crypto  and  other  mechanisms  that  are  not  security....
  • 20. public final class InsertEmployeeActionextends Action{ public ActionForward execute(ActionMappingmapping,ActionForm form, HttpServletRequest request,HttpServletResponseresponse)throws Exception{ Obj1 service= new Obj1(); ObjForm objForm = (ObjForm) form; InfoADT adt = new InfoADT(); BeanUtils.copyProperties(adt,objForm); String searchQuery= objForm.getqueryString(); String payload = objForm.getPayLoad(); try { service.doWork(adt); / /do somethingwith thedata ActionMessages messages = new ActionMessages(); ActionMessagemessage= new ActionMessage("success",adt.getName()); messages.add(ActionMessages.GLOBAL_MESSAGE,message); saveMessages(request, messages ); request.setAttribute("Record",adt); return (mapping.findForward("success")); } catch( DatabaseExceptionde) { ActionErrors errors = new ActionErrors(); ActionError error = new ActionError("error.employee.databaseException" + “Payload:“+payload); errors.add(ActionErrors.GLOBAL_ERROR,error ); saveErrors(request,errors ); return (mapping.findForward("error: "+ searchQuery)); } } } Spot  the  vuln(s)  !
  • 21. XSS  risks • Session  Hijacking • Site  Defacement • Network  Scanning • Undermining  CSRF  Defenses • Site  Redirection/Phishing • Load  of  Remotely  Hosted  Scripts • Data  Theft • Keystroke  Logging • Attackers  using  XSS  more  frequently
  • 22. <
  • 23. &lt;
  • 24. Encoding  Output Characters Decimal Hexadecimal HTML  Character   Set Unicode "  (double   quotation   marks) &#34; &#x22; &quot; u0022 '  (single   quotation  mark) &#39; &#x27; &apos; u0027 &  (ampersand) &#38; &#x26; &amp; u0026 <  (less  than) &#60; &#x3C; &lt; u003c >  (greater  than) &#62; &#x3E; &gt; u003e Safe  ways  to  represent  dangerous  characters  in  a  web  page
  • 25. OWASP  Java  Encoder  Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No  third  party  libraries  or  configuration  necessary • This  code  was  designed  for  high-­availability/high-­ performance  encoding  functionality • Simple  drop-­in  encoding  functionality • Redesigned  for  performance • More  complete  API  (uri and  uri component  encoding,   etc)  in  some  regards. • Java  1.5+
  • 27.
  • 28. OWASP  HTML  Sanitizer  Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML  Sanitizer  written  in  Java  which  lets  you  include  HTML   authored  by  third-­parties  in  your  web  application  while  protecting   against  XSS.   • This  code  was  written  with  security  best  practices  in  mind,  has  an   extensive  test  suite,  and  has  undergone  adversarial  security  review   https://code.google.com/p/owasp-­java-­html-­ sanitizer/wiki/AttackReviewGroundRules.   • It  allows  for  simple  programmatic  POSITIVE  policy  configuration.   No  XML  config.   • Actively  maintained  by  Mike  Samuel  from  Google's  AppSec team!   • This  is  code  from  the  Caja project  that  was  donated  by  Google.  It   is  rather  high  performance  and  low  memory  utilization.  
  • 29. • Upload  Verification – Filename   and  Size  validation   +  antivirus • Upload  Storage – Use  only  trusted  filenames  +  separate  domain • Beware  of  "special"  files – "crossdomain.xml"    or    "clientaccesspolicy.xml".   • Image  Upload  Verification – Enforce  proper  image  size  limits – Use  image  rewriting  libraries – Set  the  extension  of  the  stored  image  to  be  a  valid  image  extension – Ensure  the  detected  content  type  of  the  image  is  safe • Generic  Upload  Verification – Ensure  decompressed   size  of  file  <  maximum  size   – Ensure  that  an  uploaded   archive  matches  the  type  expected  (zip,  rar) – Ensure  structured  uploads   such  as  an  add-­on  follow  proper  standard
  • 30.
  • 31. What  is  Access  Control? • Authorization  is  the  process  where  a  system  determines if  a  specific  user  has  access  to  a  resource • Permission:  Represents  app  behavior  only • Entitlement:  What  a  user  is  actually  allowed  to  do • Principle/User:  Who/what  you  are  entitling • Implicit  Role:    Named  permission,  user  associated – if  (user.isRole(“Manager”));; • Explicit  Role:  Named  permission,  resource  associated – if  (user.isAuthorized(“report:view:3324”);;
  • 32. Access  Control  Anti-­Patterns • Hard-­coded  role  checks  in  application  code • Lack  of  centralized  access  control  logic • Untrusted  data  driving  access  control  decisions • Access  control  that  is  “open  by  default” • Lack  of  addressing  horizontal  access  control  in  a   standardized  way  (if  at  all) • Access  control  logic  that  needs  to  be  manually   added  to  every  endpoint  in  code • Access  Control  that  is  “sticky”  per  session • Access  Control  that  requires  per-­user  policy
  • 33. Access  Controls  Impact • Loss  of  accountability – Attackers  maliciously  execute  actions  as  other  users – Attackers  maliciously  execute  higher  level  actions • Disclosure  of  confidential  data – Compromising  admin-­‐level  accounts  often  results  in   access  to  user’s  confidential  data • Data  tampering – Privilege  levels  do  not  distinguish  users  who  can  only   view  data  and  users  permitted  to  modify  data
  • 34. void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } HardCode Auth Rule
  • 35. void editProfile(User u, EditUser eu) { if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { // do stuff } } Policy  evolution....
  • 36. 36
  • 37. Hard-­‐Coded  Roles • Makes  “proving”  the  policy  of  an  application   difficult  for  audit  or  Q/A  purposes • Any  time  access  control  policy  needs  to   change,  new  code  need  to  be  pushed • RBAC(http://en.wikipedia.org/wiki/Role-­‐ based_access_control)  is  often  not  granular   enough   • Fragile,  easy  to  make  mistakes
  • 38. Never  Depend  on  Untrusted  Data • Never  trust  request  data  for  access  control  decisions • Never  make  access  control  decisions  in  JavaScript • Never  make  authorization  decisions  based  solely  on:   hidden  fields cookie  values form  parameters URL  parameters anything  else  from  the  request • Never  depend  on  the  order  of  values  sent  from  the  client
  • 39. Best  Practice:  Centralized  AuthZ • Define  a  centralized  access  controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access  control  decisions  go  through  these  simple   API’s • Centralized  logic  to  drive  policy  behavior  and   persistence • May  contain  data-­‐driven  access  control  policy   information
  • 40. int userId= request.getInt(”userID"); //Best to get it from sessionID.... if (validateUser(userId) ) { if ( currentUser.isPermitted( ”module:function:" + userId) ) { log.info(userId + “are permitted to access ."); doStuff(userId); } else { log.info(userId + “ is notallowed to access!"); throw new AuthorizationException (userId); } } Should  be  like  this...
  • 41. Establish  Authentication  and   Identity  Controls
  • 42. 1) Do  not  limit  the  type  of  characters  or  length   of  user  password  within  reason • Be  wary  of  systems  that  allow  unlimited  password   sizes  (Django DOS  Sept  2013) • 2)  Use  a  cryptographically  strong  credential-­‐specific   salt • 3)  Impose  difficult  verification   • on  the  attacker  and  defender  :  use  PBKDF2  or   script • on  only the  attacker  :  use  HMAC-­‐SHA-­‐256  
  • 43. 2)  Use  a  cryptographically  strong  credential-­‐ specific  salt • protect(  [salt]  +  [password]  ); • Use  a  32char  or  64char  salt  (actual  size  dependent   on  protection  function); • Do  not  depend  on  hiding,  splitting,  or  otherwise   obscuring  the  salt
  • 44. 3a)  Impose  difficult  verification  on  the  attacker   and  defender •PBKDF2([salt]  +  [password],  c=140,000);   •Use  PBKDF2 when  FIPS  certification  or  enterprise   support  on  many  platforms  is  required •Use  Scrypt where  resisting  any/all  hardware   accelerated  attacks  is  necessary  but  enterprise  support   and  scale  is  not.  (bcrypt is  also  a  reasonable  choice)
  • 45. 3b)  Impose  difficult  verification  on  only the   attacker   •HMAC-­‐SHA-­‐256(  [private  key],  [salt]  +  [password]  ) •Protect  this  key  as  any  private  key  using  best  practices •Store  the  key  outside  the  credential  store •Build  the  password-­‐to-­‐hash  conversion  as  a  separate   webservice (cryptograpic isolation).
  • 47. Require  2  identity  questions   <Last  name,  account  number,  email,  DOB <Enforce  lockout  policy Ask  one  or  more  good  security  questions <https://www.owasp.org/index.php/Choosing_and_Using_Security_ Questions_Cheat_Sheet Send  the  user  a  randomly  generated  token  via  out-­‐of-­‐band <app,  SMS  or  token   Verify  code  in  same  web  session <Enforce  lockout  policy Change  password <Enforce password policy Changing  Password
  • 48. //import  java.security and  java.crypto and  java.util needed //  Based on  recommendation from NIST  SP800-­‐132.pdf public  class  PasswordEncryptionService { public  boolean authenticate(String  attemptedPassword,  byte[]  encryptedPassword,  byte[]  salt) throws NoSuchAlgorithmException,  InvalidKeySpecException { byte[]  encryptedAttemptedPassword =  getEncryptedPassword(attemptedPassword,  salt); return  Arrays.equals(encryptedPassword,  encryptedAttemptedPassword); } public  byte[]  getEncryptedPassword(String  password,  byte[]  salt) throws NoSuchAlgorithmException,  InvalidKeySpecException { String  algorithm =  "PBKDF2WithHmacSHA1’’;    //  SHA1  recommende by  nist int derivedKeyLength =  160; int iterations =  20000;  //  minimum  1000  its from NIST KeySpec spec =  new  PBEKeySpec(password.toCharArray(),  salt,  iterations,  derivedKeyLength); SecretKeyFactory f  =  SecretKeyFactory.getInstance(algorithm); return  f.generateSecret(spec).getEncoded(); } public  byte[]  generateSalt()  throws NoSuchAlgorithmException { SecureRandom random =  SecureRandom.getInstance("SHA1PRNG"); byte[]  salt =  new  byte[8]; random.nextBytes(salt); return  salt; SecurePasswordStorage
  • 49. • Authentication  Cheat  Sheet – https://www.owasp.org/index.php/Authentication_Cheat_Sheet • Password  Storage  Cheat  Sheet – https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • Forgot  Password  Cheat  Sheet – https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet • Session  Management  Cheat  Sheet – https://www.owasp.org/index.php/Session_Management_Cheat_Sheet • ASVS  AuthN and  Session  Requirements – https://www.owasp.org/index.php/OWASP_Application_Security_Verific ation_Standard_Project • Choose  Security  Questions – https://www.owasp.org/index.php/Choosing_and_Using_Security_Quest ions_Cheat_Sheet
  • 50.
  • 51. • What  benefits  do  HTTPS  provide? – Confidentiality,  Integrity  and  Authenticity – Confidentiality:  Spy  cannot  view  your  data – Integrity:  Spy  cannot  change  your  data – Authenticity:  Server  you  are  visiting  is  the   right  one
  • 52. Encryption  in  Transit  (HTTPS/TLS) • HTTPS  configuration  best  practices – https://www.owasp.org/index.php/Transport_L ayer_Protection_Cheat_Sheet – https://www.ssllabs.com/projects/best-­ practices/
  • 53. • Certificate  Pinning – https://www.owasp.org/index.php/Pinning_Cheat_Sheet • HSTS  (Strict  Transport  Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-­‐Transport-­‐Security:   max-­‐age=31536000 • Forward  Secrecy – https://whispersystems.org/blog/asynchronous-­‐security/ • Certificate  Creation  Transparency – http://certificate-­‐transparency.org • Browser  Certificate  Pruning – Etsy/Zane  Lackey
  • 54. HSTS  – Strict  Transport  Security • HSTS  (Strict  Transport  Security) – http://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-­‐Transport-­‐Security:  max-­‐age=31536000;   includeSubdomains • Forces  browser  to  only  make  HTTPS  connection  to  server • Must  be  initially  delivered  over  a  HTTPS  connection
  • 57. Risks  ?   • Error messages  can disclose information   valuable to  an  attacker • Failure can lead  to  an  unhandled state,  which can lead  to  denial of  service  – Unhandled failures can lead  to  malicious behavior being unnoticed
  • 58. Fail  Securely  !   • Not  Just  catching  exception • Not  Just  logging  exception/errors Handle  all  failures  securely  and  return  the   system  to  a  proper  state  
  • 59. Design  Patterns • Don't assume  that an  error condition  won't occur • It's what the  attackers want you to  assume   • Errors are  like accidents,  you don't expect them,  but  they happen • Any code  that can throw an  exception  should be in  a  Try Block   • Handle all  possible  exceptions   • Use  Finally Blocks:  leaving files  open  or  exceptions  defined after use  creates resource leaks and  possible  system  failure • Short  specific Try Blocks  give you more  control  over  the   error state  
  • 60. App  Layer  Intrusion  Detection • Great  detection  points  to  start  with – Input  validation  failure  server  side  when  client  side   validation  exists – Input  validation  failure  server  side  on  non-­user   editable  parameters  such  as  hidden  fields,   checkboxes,  radio  buttons  or  select  lists – Forced  browsing  to  common  attack  entry  points   – Honeypot  URL  (e.g.  a  fake  path  listed  in  robots.txt like  e.g.  /admin/secretlogin.jsp)  
  • 61. App  Layer  Intrusion  Detection • Others – Blatant  SQLi or  XSS  injection  attacks – Workflow  sequence  abuse  (e.g.  multi-­part  form  in   wrong  order) – Custom  business  logic  (e.g.  basket  vs catalogue   price  mismatch) – Further  Study: • “libinjection:  from  SQLi to  XSS” – Nick  Galbreath • “Attack  Driven  Defense”  – Zane  Lackey
  • 62. OWASP  AppSensor (Java) • Project  and  mailing  list   https://www.owasp.org/index.php/OWASP_A ppSensor_Project • Four-­page  briefing,  Crosstalk,  Journal  of   Defense  Software  Engineering • http://www.crosstalkonline.org/storage/issue-­ archives/2011/201109/201109-­Watson.pdf
  • 66. Security  Architecture  and  Design Strategic  effort • Business,  technical  and  security  stakeholders   • Functional  and  non-­‐functional  security  properties • Different  flavors/efforts  based  on  SDL/culture Example:  state • Should  you  use  the  request?   • Should  you  use  a  web  session?   • Should  you  use  the  database?   These  decisions  have  dramatic  security  implications
  • 67. Trusting  Input • Treating  all  client  side  data  as  untrusted  is   important,  and  can  be  tied  back  to  trust   zones/boundaries  in  design/architecture.   • Ideally  we  want  to  consider  all  tiers  to  be   untrusted  and  build  controls  at  all  layers,   but  this  is  not  practical  or  even  possible  for   some  very  large  systems.
  • 68. Security  Architecture  and  Design Additional  Considerations • Overall  Architecture/Design • Trust  Zones/Boundaries/Tiers 1. User  Interface,    API  (Webservices),   2. Business  Layer  (Custom  Logic),   3. Data  Layer  (Keys  to  the  Kingdom) 4. What  sources  can/cannot  be  trusted? • What  is  inside/outside  of  a  trust  zone/boundary • Specific  controls  need  to  exist  at  certain  layers • Attack  Surface
  • 69. Controlling  code  in  one  picture
  • 70. Pentest or  code  review  for   CISO   Top10 Web Pentest Code  Review A1-­‐Injection ++ +++ A2-­‐Broken  Authentication  and  Session   Management ++ + A3-­‐Cross-­‐Site  Scripting  (XSS) +++ +++ A4-­‐Insecure  Direct  Object  References + +++ A5-­‐Security  Misconfiguration + ++ A6-­‐Sensitive  Data  Exposure ++ + A7-­‐Missing  Function  Level  Access   Control + + A8-­‐Cross-­‐Site  Request  Forgery  (CSRF) ++ + A9-­‐Using  Components  with  Known   Vulnerabilities +++ A10-­‐Unvalidated  Redirects  and   Forwards + +
  • 71. Pentesting and  code  review  for  a   developer
  • 72. 10  reasons to  use  .... • Written in  Java  J • Integrated with CI  Tools   (Jenkins/Hudson/Bamboo) • Modular (plugins  by  languages) • Developer tools • Dashboard • OWASP  project J • Open-­‐Source  (and  commercial  too)
  • 75. LAST  BUT  NOT  LEAST....
  • 76. Lack  of  knowledge... String  myString =  "insecure"; myString.replace("i","1") //  do  Stuff
  • 77. Good  Try...but...catch  J public  class  BadCatch { public  void mymethodErr1()  { try { //do  Stuff }  catch  (SecurityException se){ System.err.println (se); } } }
  • 78. Nice  comments //  Pattern  to  match  the  string Pattern  myPattern =  "bword1W+(?:w+/W+){1,6}?word2b"; String  updated =  MYCONSTANT1.replaceAll(mypattern,  "$2"); //  i  iterate from 0  to  10 for  (int i=0;  i  <10  ;  i++)  { //  do  stuff myMethod(updated); }
  • 79. Unit  testing • In  computer  programming,  unit  testing is a  software  testing method by  which individual units of  source  code,  sets  of  one  or  more  computer  program   modules  together with associated control  data,  usage  procedures,  and   operating  procedures,  are  tested to  determine whether they are  fit  for  use..   (c)  Wikipedia