Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security presentation

  • Login to see the comments

  • Be the first to like this

Security presentation

  1. 1. SECURITY IN WEB DEVELOPMENT Agenda Demonstration Problems Implementations Conclusion Reflections I will be touching upon the following: ● Basic web application security concepts ● Security flaws in web applications ● Our security challenges
  2. 2. Demonstration Agenda Demonstration Problems Implementations Conclusion Reflections
  3. 3. Problems detected Agenda Demonstration Problems Implementations Conclusion Reflections Security related problems in our web application ● All forms are vulnerable ● Passwords needs protection ● Authorized access in backend ● Restrictions in comment area ● Logging of behavior necessary for better understanding of the attacker ● Possibility to ban users if they don't behave ● Image uploader needs protection
  4. 4. Implementations Agenda Demonstration Problems Implementations Conclusion Reflections Security related implementations we did: ● Tokens and referer header to prevent CSRF attacks ● re-CAPTCHA to exclude bots from filling out forms ● 5 tries and out! to prevent hackers from trying out different command attacks ● Authorization of users for the backend ● html entities to prevent XSS ● Prepared statements to avoid SQL-injections ● File extension checker to avoid script attack disguised as images
  5. 5. Conclusion Agenda Demonstration Problems Implementations Conclusion Reflections We have some kind of security, we prevent: ● CSRF ● XSS ● SQL Injection ● Bots from filling out forms ● Script attacks disguised as images But security is a dynamic process ● Logging makes it possible to learn from the attackers ● A honeyput system would help us even more
  6. 6. Reflections Agenda Demonstration Problems Implementations Conclusion Reflections We have some kind of security, we prevent: ● Confirmation process - email confirmation ● Honeypot implementation ● Securing our logged text files ● We should avoid passwords as "passwords" and "1234".

×