Your SlideShare is downloading. ×
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
121 desarrollando aplicaciones-seguras_con_gene_xus
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

121 desarrollando aplicaciones-seguras_con_gene_xus

1,309

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,309
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Mejorarseguridad en aplicaciones.Hacer visible el temaseguridad.Principios:caracteristicas, comportamiento, implementacionqueintentanreducirlasamenazas y el impactoqueestaspudierantener. Ej: fail securely, fail-safe defaults, don’t trust infrastructure, don’t trust services, etc.Ataques: Tecnicasqueexplotanvulnerabilidades.Vulnerabilidades: debilidad en el sistemaquecompromete la informacion o funcionamiento de la aplicacion, permitiendo a un atacantegeneraralguntipo de daño.Top 10: Concensosobre los 10 riesgos mas altos queexisten hoy en aplicaciones web.
  • Proyecto:Herramientas y metodologiaEvaluacionde riesgoTests de penetracion
  • Transcript

    • 1. Desarrollandoaplicacionesseguras con Genexus
    • 2. Aplicacionesseguras
      Conciencia
      Competencia
      Aplicacionesseguras
      Plataformasólida
      Herramientas
      Review
      Autorización/Autenticación
    • 3. Aplicacionesseguras
      B
      A
      for each
      if customerId>1

      endif
      endfor
      for each
      where customerId>1

      endfor
      SELECT SUM(salary) FROM employeesWHERE salary > 25000
      SELECT salary FROM employees;
      OPEN cursor;
      FETCH NEXT FROM cursor;
      WHILE ….
      IF salary > 25000
      x = x + salary;
      FETCH NEXT FROM cursor;

    • 4. Aplicacionesseguras
    • 5. OWASP - Ataques
      A
      Account lockout attack
      ArgumentInjectionorModification
      Asymmetricresourceconsumption (amplification)
      B
      Binaryplanting
      Blind SQL Injection
      BlindXPathInjection
      Bruteforceattack
      Buffer overflowattack
      C
      CSRF
      Cache Poisoning
      Cash Overflow
      CodeInjection
      CommandInjection
      CommentInjectionAttack
      Cross Frame Scripting
      Cross SiteHistoryManipulation (XSHM)
      Cross SiteTracing
      Cross-SiteRequestForgery (CSRF)
      Cross-UserDefacement
      Cross-site Scripting (XSS)
      Cryptanalysis
      C cont.
      CustomSpecialCharacterInjection
      D
      Denial of Service
      DirectDynamicCodeEvaluation ('EvalInjection')
      DirectStaticCodeInjection
      DoubleEncoding
      F
      Forcedbrowsing
      Formatstringattack
      Full PathDisclosure
      H
      HTTP RequestSmuggling
      HTTP Response Splitting
      L
      LDAP injection
      M
      Man-in-the-browser attack
      Man-in-the-middleattack
      Mobile code: invokinguntrustedmobilecode
      Mobile code: non-final publicfield
      Mobile code: objecthijack
      N
      Network Eavesdropping
      O
      One-ClickAttack
      OverflowBinaryResource File
      P
      Page Hijacking
      ParameterDelimiter
      P cont.
      PathManipulation
      PathTraversal
      R
      Regular expressionDenial of Service - ReDoS
      RelativePathTraversal
      RepudiationAttack
      ResourceInjection
      S
      SQL Injection
      Server-SideIncludes (SSI) Injection
      SessionPrediction
      Sessionfixation
      Sessionhijackingattack
      SettingManipulation
      SpecialElementInjection
      Spyware
      T
      Trafficflood
      TrojanHorse
      U
      Unicode Encoding
      W
      Web ParameterTampering
      Windows ::DATA alternate data stream
      X
      XPATH Injection
      XSRF
    • 6. OWASP - Vulnerabilidades
      ASP.NET Misconfigurations
      Access control enforced by presentation layer
      Addition of data-structure sentinel
      Allowing Domains or Accounts to Expire
      Allowing password aging
      Assigning instead of comparing
      Authentication Bypass via Assumed-Immutable Data
      B
      Buffer Overflow
      Buffer underwrite
      Business logic vulnerability
      C
      CRLF Injection
      Capture-replay
      Catch NullPointerException
      Comparing classes by name
      Comparing instead of assigning
      Comprehensive list of Threats to Authentication Procedures and Data
      Covert timing channel
      Cross Site Scripting Flaw
      D
      Dangerous Function
      Deletion of data-structure sentinel
      Deserialization of untrusted data
      Directory Restriction Error
      Double Free
      Doubly freeing memory
      Duplicate key in associative list (alist)
      E
      Empty Catch Block
      Empty String Password
      F
      Failure of true random number generator
      Failure to account for default case in switch
      Failure to add integrity check value
      Failure to check for certificate revocation
      Failure to check integrity check value
      Failure to check whether privileges were dropped successfully
      Failure to deallocate data
      Failure to drop privileges when reasonable
      Failure to encrypt data
      Failure to follow chain of trust in certificate validation
      Failure to follow guideline/specification
      Failure to protect stored data from modification
      Failure to provide confidentiality for stored data
      Failure to validate certificate expiration
      Failure to validate host-specific certificate data
      File Access Race Condition: TOCTOU
      Format String
      G
      Guessed or visible temporary file
      H
      Hard-Coded Password
      Heap Inspection
      Heap overflow
      I
      Ignored function return value
      Illegal Pointer Value
      Improper Data Validation
      Improper cleanup on thrown exception
      Improper error handling
      Improper string length checking
      Improper temp file opening
      Incorrect block delimitation
      Information Leakage
      Information leak through class cloning
      Information leak through serialization
      Insecure Compiler Optimization
      Insecure Randomness
      Insecure Temporary File
      Insecure Third Party Domain Access
      Insecure Transport
      Insufficient Entropy
      Insufficient Session-ID Length
      Insufficient entropy in pseudo-random number generator
      Integer coercion error
      Integer overflow
      Invoking untrusted mobile code
      J
      J2EE Misconfiguration: Unsafe Bean Declaration
      K
      Key exchange without entity authentication
      L
      Least Privilege Violation
      Leftover Debug Code
      Log Forging
      Log injection
      M
      Member Field Race Condition
      Memory leak
      Miscalculated null termination
      Misinterpreted function return value
      Missing Error Handling
      Missing XML Validation
      Missing parameter
      Multiple admin levels
      Mutable object returned
      N
      Non-cryptographic pseudo-random number generator
      Not allowing password aging
      Not using a random initialization vector with cipher block chaining mode
      Null Dereference
      O
      OWASP .NET Vulnerability Research
      Object Model Violation: Just One of equals() and hashCode() Defined
      Often Misused: Authentication
      Often Misused: Exception Handling
      Often Misused: File System
      Often Misused: Privilege Management
      Often Misused: String Management
      Omitted break statement
      Open forward
      Open redirect
      Overflow of static internal buffer
      Overly-Broad Catch Block
      Overly-Broad Throws Declaration
      P
      PHP File Inclusion
      PRNG Seed Error
      Passing mutable objects to an untrusted method
      Password Management: Hardcoded Password
      Password Management: Weak Cryptography
      Password Plaintext Storage
      Poor Logging Practice
      Portability Flaw
      Privacy Violation
      Process Control
      Publicizing of private data when using inner classes
      R
      Race Conditions
      Reflection attack in an auth protocol
      Reflection injection
      Relative path library search
      Reliance on data layout
      Relying on package-level scope
      Resource exhaustion
      Return Inside Finally Block
      Reusing a nonce, key pair in encryption
      S
      Session Fixation
      Sign extension error
      Signed to unsigned conversion error
      Stack overflow
      State synchronization error
      Storing passwords in a recoverable format
      String Termination Error
      Symbolic name not mapping to correct object
      T
      Template:Vulnerability
      Truncation error
      Trust Boundary Violation
      Trust of system event data
      Trusting self-reported DNS name
      Trusting self-reported IP address
      U
      Uncaught exception
      Unchecked Error Condition
      Unchecked Return Value: Missing Check against Null
      Unchecked array indexing
      Undefined Behavior
      Uninitialized Variable
      Unintentional pointer scaling
      Unreleased Resource
      Unrestricted File Upload
      Unsafe JNI
      Unsafe Mobile Code
      Unsafe Reflection
      Unsafe function call from a signal handler
      Unsigned to signed conversion error
      Use of Obsolete Methods
      Use of hard-coded password
      Use of sizeof() on a pointer type
      Using a broken or risky cryptographic algorithm
      Using a key past its expiration date
      Using freed memory
      Using password systems
      Using referer field for authentication or authorization
      Using single-factor authentication
      Using the wrong operator
      V
      Validation performed in client
      Vulnerability template
      W
      Wrap-around error
      Write-what-where condition
    • 7. OWASP Top 10
    • 8. Aplicacionesseguras con GeneXus
    • 9. Aplicacionesseguras
      Conciencia
      Competencia
      Aplicacionesseguras
      Plataformasólida
      Herramientas
      Review
      Autorización/Autenticación
    • 10. OWASP Top 10
    • 11. A1: Injection
    • 12. A2: Cross-Site Scripting (XSS)
    • 13. A3: Broken Authentication and Session Management
    • 14. A4: Insecure Direct Object References
    • 15. A5: Cross-Site Request Forgery (CSRF)
    • 16. A6: Security Misconfiguration
    • 17. A7: Insecure Cryptographic Storage
    • 18. A8: Failure to Restrict URL Access
    • 19. A9: Insufficient Transport Layer Protection
    • 20. A10: Unvalidated Redirects and Forwards
    • 21. Herramientas
    • 22. Herramientas
    • 23.
    • 24. Herramientas
    • 25. GAM – Quéhace?
    • 26. Quéestamoshaciendonosotros
    • 27. Quétienenquehacerustedes

    ×