Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

354 views

Published on

Tilak T

Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

Published in: Technology
  • Be the first to comment

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Web Services aren’t as secure as we think Tilak.T
  2. 2. Singapore | 28 Feb - 01 Mar 2019 Yours truly • Senior Solutions Engineer at we45 • Full Stack Developer • Developer of Open-Source • Trainer and Speaker • PSF Member • Part of multiple CTF @ti1akt
  3. 3. Singapore | 28 Feb - 01 Mar 2019 Outline • Why security is important • Unique Vulnerabilities • Demo ! • DevSecOps Pipeline @ti1akt
  4. 4. Singapore | 28 Feb - 01 Mar 2019 Why web services aren't secure @ti1akt
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Ref: https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/ @ti1akt
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Unique Vulnerabilities • JWT Manipulation • Insecure Deserialization • Insecure Direct Object Reference • Etc … @ti1akt
  7. 7. Singapore | 28 Feb - 01 Mar 2019
  8. 8. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  9. 9. Singapore | 28 Feb - 01 Mar 2019 JWT Manipulation OWASP-2017 A5 Broken Access Control @ti1akt
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Why JWT • Stateless Application • Authorization Mechanism • Transfers information between server and client • Scalable and decoupled @ti1akt
  11. 11. Singapore | 28 Feb - 01 Mar 2019 JSON Web Token(JWT) • The process is relatively simple (typically): • Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key • This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) • The token is sent by the client (like a session cookie) • The server attempts to verify the token based on the signature and allows/disallows the user to perform actions @ti1akt
  12. 12. Singapore | 28 Feb - 01 Mar 2019 Lots of ways to get JWT wrong • Modify the algorithm to `none` • Leakage of sensitive information • Algorithm Confusion • Cracking Secret Keys @ti1akt
  13. 13. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  14. 14. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Insecure Deserialization OWASP-2017 A5 Broken Access Control @ti1akt
  16. 16. Singapore | 28 Feb - 01 Mar 2019
  17. 17. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  18. 18. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  19. 19. Singapore | 28 Feb - 01 Mar 2019
  20. 20. Singapore | 28 Feb - 01 Mar 2019 Basic Pipeline Demo @ti1akt
  21. 21. Singapore | 28 Feb - 01 Mar 2019 SecDevOps Jenkins pipeline @ti1akt
  22. 22. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  23. 23. Singapore | 28 Feb - 01 Mar 2019 Abhay Bhargav Rahul Raghavan Sandeep Patil Sharath Kumar Nithin Jois
  24. 24. Singapore | 28 Feb - 01 Mar 2019 Thank You https://github.com/we45/DevSecCon2019 @ti1akt

×