121 desarrollando aplicaciones-seguras_con_gene_xus


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Mejorarseguridad en aplicaciones.Hacer visible el temaseguridad.Principios:caracteristicas, comportamiento, implementacionqueintentanreducirlasamenazas y el impactoqueestaspudierantener. Ej: fail securely, fail-safe defaults, don’t trust infrastructure, don’t trust services, etc.Ataques: Tecnicasqueexplotanvulnerabilidades.Vulnerabilidades: debilidad en el sistemaquecompromete la informacion o funcionamiento de la aplicacion, permitiendo a un atacantegeneraralguntipo de daño.Top 10: Concensosobre los 10 riesgos mas altos queexisten hoy en aplicaciones web.
  • Proyecto:Herramientas y metodologiaEvaluacionde riesgoTests de penetracion
  • 121 desarrollando aplicaciones-seguras_con_gene_xus

    1. 1. Desarrollandoaplicacionesseguras con Genexus<br />
    2. 2. Aplicacionesseguras<br />Conciencia<br />Competencia<br />Aplicacionesseguras<br />Plataformasólida<br />Herramientas<br />Review<br />Autorización/Autenticación<br />
    3. 3. Aplicacionesseguras<br />B<br />A<br />for each<br /> if customerId>1 <br />…<br />endif<br />endfor<br />for each<br />where customerId>1<br />…<br />endfor<br />SELECT SUM(salary) FROM employeesWHERE salary > 25000<br />SELECT salary FROM employees; <br />OPEN cursor; <br />FETCH NEXT FROM cursor; <br />WHILE ….<br /> IF salary > 25000<br /> x = x + salary;<br />FETCH NEXT FROM cursor; <br />…<br />
    4. 4. Aplicacionesseguras<br />
    5. 5. OWASP - Ataques<br />A<br />Account lockout attack<br />ArgumentInjectionorModification<br />Asymmetricresourceconsumption (amplification)<br />B<br />Binaryplanting<br />Blind SQL Injection<br />BlindXPathInjection<br />Bruteforceattack<br />Buffer overflowattack<br />C<br />CSRF<br />Cache Poisoning<br />Cash Overflow<br />CodeInjection<br />CommandInjection<br />CommentInjectionAttack<br />Cross Frame Scripting<br />Cross SiteHistoryManipulation (XSHM)<br />Cross SiteTracing<br />Cross-SiteRequestForgery (CSRF)<br />Cross-UserDefacement<br />Cross-site Scripting (XSS)<br />Cryptanalysis<br />C cont.<br />CustomSpecialCharacterInjection<br />D<br />Denial of Service<br />DirectDynamicCodeEvaluation ('EvalInjection')<br />DirectStaticCodeInjection<br />DoubleEncoding<br />F<br />Forcedbrowsing<br />Formatstringattack<br />Full PathDisclosure<br />H<br />HTTP RequestSmuggling<br />HTTP Response Splitting<br />L<br />LDAP injection<br />M<br />Man-in-the-browser attack<br />Man-in-the-middleattack<br />Mobile code: invokinguntrustedmobilecode<br />Mobile code: non-final publicfield<br />Mobile code: objecthijack<br />N<br />Network Eavesdropping<br />O<br />One-ClickAttack<br />OverflowBinaryResource File<br />P<br />Page Hijacking<br />ParameterDelimiter<br />P cont.<br />PathManipulation<br />PathTraversal<br />R<br />Regular expressionDenial of Service - ReDoS<br />RelativePathTraversal<br />RepudiationAttack<br />ResourceInjection<br />S<br />SQL Injection<br />Server-SideIncludes (SSI) Injection<br />SessionPrediction<br />Sessionfixation<br />Sessionhijackingattack<br />SettingManipulation<br />SpecialElementInjection<br />Spyware<br />T<br />Trafficflood<br />TrojanHorse<br />U<br />Unicode Encoding<br />W<br />Web ParameterTampering<br />Windows ::DATA alternate data stream<br />X<br />XPATH Injection<br />XSRF<br />
    6. 6. OWASP - Vulnerabilidades<br />ASP.NET Misconfigurations<br />Access control enforced by presentation layer<br />Addition of data-structure sentinel<br />Allowing Domains or Accounts to Expire<br />Allowing password aging<br />Assigning instead of comparing<br />Authentication Bypass via Assumed-Immutable Data<br />B<br />Buffer Overflow<br />Buffer underwrite<br />Business logic vulnerability<br />C<br />CRLF Injection<br />Capture-replay<br />Catch NullPointerException<br />Comparing classes by name<br />Comparing instead of assigning<br />Comprehensive list of Threats to Authentication Procedures and Data<br />Covert timing channel<br />Cross Site Scripting Flaw<br />D<br />Dangerous Function<br />Deletion of data-structure sentinel<br />Deserialization of untrusted data<br />Directory Restriction Error<br />Double Free<br />Doubly freeing memory<br />Duplicate key in associative list (alist)<br />E<br />Empty Catch Block<br />Empty String Password<br />F<br />Failure of true random number generator<br />Failure to account for default case in switch<br />Failure to add integrity check value<br />Failure to check for certificate revocation<br />Failure to check integrity check value<br />Failure to check whether privileges were dropped successfully<br />Failure to deallocate data<br />Failure to drop privileges when reasonable<br />Failure to encrypt data<br />Failure to follow chain of trust in certificate validation<br />Failure to follow guideline/specification<br />Failure to protect stored data from modification<br />Failure to provide confidentiality for stored data<br />Failure to validate certificate expiration<br />Failure to validate host-specific certificate data<br />File Access Race Condition: TOCTOU<br />Format String<br />G<br />Guessed or visible temporary file<br />H<br />Hard-Coded Password<br />Heap Inspection<br />Heap overflow<br />I<br />Ignored function return value<br />Illegal Pointer Value<br />Improper Data Validation<br />Improper cleanup on thrown exception<br />Improper error handling<br />Improper string length checking<br />Improper temp file opening<br />Incorrect block delimitation<br />Information Leakage<br />Information leak through class cloning<br />Information leak through serialization<br />Insecure Compiler Optimization<br />Insecure Randomness<br />Insecure Temporary File<br />Insecure Third Party Domain Access<br />Insecure Transport<br />Insufficient Entropy<br />Insufficient Session-ID Length<br />Insufficient entropy in pseudo-random number generator<br />Integer coercion error<br />Integer overflow<br />Invoking untrusted mobile code<br />J<br />J2EE Misconfiguration: Unsafe Bean Declaration<br />K<br />Key exchange without entity authentication<br />L<br />Least Privilege Violation<br />Leftover Debug Code<br />Log Forging<br />Log injection<br />M<br />Member Field Race Condition<br />Memory leak<br />Miscalculated null termination<br />Misinterpreted function return value<br />Missing Error Handling<br />Missing XML Validation<br />Missing parameter<br />Multiple admin levels<br />Mutable object returned<br />N<br />Non-cryptographic pseudo-random number generator<br />Not allowing password aging<br />Not using a random initialization vector with cipher block chaining mode<br />Null Dereference<br />O<br />OWASP .NET Vulnerability Research<br />Object Model Violation: Just One of equals() and hashCode() Defined<br />Often Misused: Authentication<br />Often Misused: Exception Handling<br />Often Misused: File System<br />Often Misused: Privilege Management<br />Often Misused: String Management<br />Omitted break statement<br />Open forward<br />Open redirect<br />Overflow of static internal buffer<br />Overly-Broad Catch Block<br />Overly-Broad Throws Declaration<br />P<br />PHP File Inclusion<br />PRNG Seed Error<br />Passing mutable objects to an untrusted method<br />Password Management: Hardcoded Password<br />Password Management: Weak Cryptography<br />Password Plaintext Storage<br />Poor Logging Practice<br />Portability Flaw<br />Privacy Violation<br />Process Control<br />Publicizing of private data when using inner classes<br />R<br />Race Conditions<br />Reflection attack in an auth protocol<br />Reflection injection<br />Relative path library search<br />Reliance on data layout<br />Relying on package-level scope<br />Resource exhaustion<br />Return Inside Finally Block<br />Reusing a nonce, key pair in encryption<br />S<br />Session Fixation<br />Sign extension error<br />Signed to unsigned conversion error<br />Stack overflow<br />State synchronization error<br />Storing passwords in a recoverable format<br />String Termination Error<br />Symbolic name not mapping to correct object<br />T<br />Template:Vulnerability<br />Truncation error<br />Trust Boundary Violation<br />Trust of system event data<br />Trusting self-reported DNS name<br />Trusting self-reported IP address<br />U<br />Uncaught exception<br />Unchecked Error Condition<br />Unchecked Return Value: Missing Check against Null<br />Unchecked array indexing<br />Undefined Behavior<br />Uninitialized Variable<br />Unintentional pointer scaling<br />Unreleased Resource<br />Unrestricted File Upload<br />Unsafe JNI<br />Unsafe Mobile Code<br />Unsafe Reflection<br />Unsafe function call from a signal handler<br />Unsigned to signed conversion error<br />Use of Obsolete Methods<br />Use of hard-coded password<br />Use of sizeof() on a pointer type<br />Using a broken or risky cryptographic algorithm<br />Using a key past its expiration date<br />Using freed memory<br />Using password systems<br />Using referer field for authentication or authorization<br />Using single-factor authentication<br />Using the wrong operator<br />V<br />Validation performed in client<br />Vulnerability template<br />W<br />Wrap-around error<br />Write-what-where condition<br />
    7. 7. OWASP Top 10<br />
    8. 8. Aplicacionesseguras con GeneXus<br />
    9. 9. Aplicacionesseguras<br />Conciencia<br />Competencia<br />Aplicacionesseguras<br />Plataformasólida<br />Herramientas<br />Review<br />Autorización/Autenticación<br />
    10. 10. OWASP Top 10<br />
    11. 11. A1: Injection <br />
    12. 12. A2: Cross-Site Scripting (XSS) <br />
    13. 13. A3: Broken Authentication and Session Management <br />
    14. 14. A4: Insecure Direct Object References <br />
    15. 15. A5: Cross-Site Request Forgery (CSRF) <br />
    16. 16. A6: Security Misconfiguration <br />
    17. 17. A7: Insecure Cryptographic Storage <br />
    18. 18. A8: Failure to Restrict URL Access <br />
    19. 19. A9: Insufficient Transport Layer Protection <br />
    20. 20. A10: Unvalidated Redirects and Forwards <br />
    21. 21. Herramientas<br />
    22. 22. Herramientas<br />
    23. 23.
    24. 24. Herramientas<br />
    25. 25. GAM – Quéhace?<br />
    26. 26. Quéestamoshaciendonosotros<br />
    27. 27. Quétienenquehacerustedes<br />