Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2018 Orlando Devs - Application Security

100 views

Published on

A presentation on raising awareness around application security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2018 Orlando Devs - Application Security

  1. 1. A Boy, A Sugar Glider and the TSA Brian Clark @_clarkio Credit: https://www.flickr.com/photos/pitmanra/
  2. 2. Credit: https://www.flickr.com/photos/lostintexas/
  3. 3. Credit: https://www.flickr.com/photos/muar_chee/
  4. 4. Browser http://insecureheroes.com Server http://insecureheroes.com
  5. 5. Browser http://insecureheroes.com Server http://insecureheroes.com
  6. 6. Browser http://insecureheroes.com Server http://insecureheroes.com
  7. 7. Browser http://insecureheroes.comCookies Server http://insecureheroes.com
  8. 8. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  9. 9. Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://clickbaity.co
  10. 10. Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
  11. 11. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
  12. 12. Synchronizer Token Pattern Random token Unique to user and session Part of the request header Validated server-side
  13. 13. https://www.npmjs.com/package/csurf
  14. 14. https://angular.io/guide/http#security-xsrf-protection
  15. 15. https://caniuse.com/#search=samesite
  16. 16. An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
  17. 17. Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
  18. 18. Input Handling
  19. 19. Input Handling
  20. 20. Input Handling EscapingSanitizationValidation
  21. 21. Sanitization EscapingValidation Ensure the data is legit Invalid EmailResult:
  22. 22. Validation EscapingSanitization Clean the bad data BCResult:
  23. 23. SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>CResult:
  24. 24. Do not trust user input
  25. 25. Where should we apply input handlers?
  26. 26. Where should we apply input handlers? Client? Server?
  27. 27. Browser http://insecureheroes.com Server http://insecureheroes.com
  28. 28. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
  29. 29. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untrusted
  30. 30. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Trusted
  31. 31. Both
  32. 32. ?
  33. 33. https://angular.io/guide/security
  34. 34. https://angular.io/guide/security
  35. 35. ?
  36. 36. https://www.npmjs.com/package/express-validator
  37. 37. https://www.npmjs.com/package/xss-filters
  38. 38. Summary Access Control Malicious Input Sugar Gliders Faking Requests
  39. 39. References https://owasp.org https://github.com/Azure-Samples/angular-cosmosdb (branch: insecure-heroes) https://angular.io/guide/security https://www.npmjs.com/package/csurf https://angular.io/guide/http#security-xsrf-protection https://caniuse.com/#search=samesite
  40. 40. Brian Clark @_clarkio Thank You!

×