SlideShare a Scribd company logo

Top 10 security risks for mobile backend developers

Download as PPTX, PDF
Jiri Danihelka
Jiri Danihelka

Top 10 security risks for mobile backend developers

Technology
1 of 13
Top 10 Security Risks for Mobile Backend Developers 22.8.2016 Jiří Danihelka
1. SQL Injection Recommendations:  Always use a database library that is immune to SQL injections (e.g. Entity Framework).  Do not create SQL command by string concatenations. Do not rely just on character encoding. 2
2. Cross Site Scripting and JavaScript Injection Recommendations:  Always HTML-encode user strings before putting them to the web page. ASP.Net does this automatically unless you use @Html.Raw(...); function or a similar one.  Treat page parameters (e.g. GET parameters, cookies, ...) as a user input.  Do not allow '<' and '>' in user inputs. (Administrators that create content may be an exception.)  Users should not write HTML markup - use a different markup for them e.g. BB Code. (Administrators that create content may be an exception.) 3
3. Broken Authentication and Session Management Recommendations:  Do not put session authentication token into URL, put it into cookies.  Users with disabled cookies should not have access to sites that need authentication. 4  Passwords or session tokens are stored in insecure places like:  URL parameters  Application logs  Sharing URL on social networks  Log: Error function ‘LoginUser’ failed – the arguments were Login=‘John’, Password=‘helllo’
4. Insecure Direct Object References Recommendations:  Always check the permission user when executing requests. Just hiding the unavailable options is not secure enough.  Optionally use ids of your objects that are hard to guess and iterate - e.g. GUID values. 5
5. Cross Site Request Forgery Recommendations:  Either use ASP.Net anti-forgery tokens for forms ...  ... or check the request origin against a whitelist of legitimate domains. 6
6. Security Misconfiguration Recommendations:  This topic is very broad and it is hard to give a general recommendation.  Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout). 7  Change default passwords  Do not store production credentials in the repository  Use different credentials in Dev and Live envoroments
7. Insecure Cryptographic Storage Recommendations:  Store passwords in an encrypted form (not in plaintext).  Use one-way encryption of passwords using hashing.  Use policies for password length and complexity to mitigate brute-force attacks.  Use hashing with a random seed to avoid rainbow table attacks. 8  Storage of:  Passwords  Credit card numbers  Bank account details  Any sensitive data  Additional level of protection when the database leaks
8. Failure to Restrict URL Access Recommendations:  Always check user permission when accessing a restricted page.  Do not just hide links to the pages, the user can manually type the path. 9
9. Insufficient Transport Layer Protection Recommendations:  Always use HTTPS for login pages.  Do not combine secure and insecure content on a single page (e.g. using Iframes). 10
10. Unvalidated Redirects and Forwards Recommendations:  When you embed a 3rd party object to your page (e.g. YouTube video) based on a URL parameter check it first against a whitelist.  Also use a similar whitelist when your page redirects or forwards to a 3rd party page based on a URL parameter. 11
Security Checklist
Security Recommendations Checklist 13

Recommended

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentials[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentialskutuer324r34
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
Flash Security
Flash SecurityFlash Security
Flash SecurityFerruh Mavituna
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 

Recommended

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentials[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentialskutuer324r34
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
Flash Security
Flash SecurityFlash Security
Flash SecurityFerruh Mavituna
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Security it trans
Security it transSecurity it trans
Security it transPrasad Shevate
 
Android App Security
Android App SecurityAndroid App Security
Android App SecurityThe Software House
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionQuick Heal Technologies Ltd.
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCoreThe eCore Group
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
западная европа
западная европазападная европа
западная европаValentina150855
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_ResumeNag Raj
 

More Related Content

What's hot

OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCoreThe eCore Group
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 

What's hot (20)

OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Security it trans
Security it transSecurity it trans
Security it trans
 
Android App Security
Android App SecurityAndroid App Security
Android App Security
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway Protection
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCore
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 

Viewers also liked

западная европа
западная европазападная европа
западная европаValentina150855
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_ResumeNag Raj
 
Marie curie
Marie curieMarie curie
Marie curieAnnasjo
 
GuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHGuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHRaquel Pollo Gonzalez
 
Docker.key
Docker.keyDocker.key
Docker.keyjwausle
 
Hình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtHình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtThi công sơn giá rẻ
 
EndorsementsPhoto
EndorsementsPhotoEndorsementsPhoto
EndorsementsPhotoIan Hughes
 
sistema circulatorio
sistema circulatoriosistema circulatorio
sistema circulatorioPaula Prieto
 
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóThi công sơn giá rẻ
 
Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia mutualia
 
Step by step blueprint for adult website business
Step by step blueprint for adult website businessStep by step blueprint for adult website business
Step by step blueprint for adult website businessSteve Smith
 

Viewers also liked (18)

западная европа
западная европазападная европа
западная европа
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_Resume
 
Marie curie
Marie curieMarie curie
Marie curie
 
Materi 1
Materi 1Materi 1
Materi 1
 
GuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHGuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISH
 
Docker.key
Docker.keyDocker.key
Docker.key
 
My Summer Holidays
My Summer HolidaysMy Summer Holidays
My Summer Holidays
 
Imthiyaz A M - CV
Imthiyaz A M - CVImthiyaz A M - CV
Imthiyaz A M - CV
 
RTF344M_S08_SYLLABUS
RTF344M_S08_SYLLABUSRTF344M_S08_SYLLABUS
RTF344M_S08_SYLLABUS
 
Hình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtHình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắt
 
EndorsementsPhoto
EndorsementsPhotoEndorsementsPhoto
EndorsementsPhoto
 
sistema circulatorio
sistema circulatoriosistema circulatorio
sistema circulatorio
 
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
 
Project english pdf
Project english pdfProject english pdf
Project english pdf
 
CV_RHansen_2016_v2
CV_RHansen_2016_v2CV_RHansen_2016_v2
CV_RHansen_2016_v2
 
Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia
 
Úvod do XAML
Úvod do XAMLÚvod do XAML
Úvod do XAML
 
Step by step blueprint for adult website business
Step by step blueprint for adult website businessStep by step blueprint for adult website business
Step by step blueprint for adult website business
 

Similar to Top 10 security risks for mobile backend developers

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Pentesting for startups
Pentesting for startupsPentesting for startups
Pentesting for startupslevigross
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusionisummation
 

Similar to Top 10 security risks for mobile backend developers (20)

Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Pentesting for startups
Pentesting for startupsPentesting for startups
Pentesting for startups
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
 

More from Jiri Danihelka

Distributed Mobile Graphics
Distributed Mobile GraphicsDistributed Mobile Graphics
Distributed Mobile GraphicsJiri Danihelka
 
Mixed reality for Windows 10
Mixed reality for Windows 10Mixed reality for Windows 10
Mixed reality for Windows 10Jiri Danihelka
 
New Xaml components for Windows developers
New Xaml components for Windows developersNew Xaml components for Windows developers
New Xaml components for Windows developersJiri Danihelka
 
MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10Jiri Danihelka
 
An introduction to development of universal applications
An introduction to development of universal applicationsAn introduction to development of universal applications
An introduction to development of universal applicationsJiri Danihelka
 
Windows game development with Unity 5
Windows game development with Unity 5Windows game development with Unity 5
Windows game development with Unity 5Jiri Danihelka
 
Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Jiri Danihelka
 
Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Jiri Danihelka
 
Prism library and MVVM
Prism library and MVVMPrism library and MVVM
Prism library and MVVMJiri Danihelka
 
UWP apps development - Part 3
UWP apps development - Part 3UWP apps development - Part 3
UWP apps development - Part 3Jiri Danihelka
 
UWP apps development - Part 2
UWP apps development - Part 2UWP apps development - Part 2
UWP apps development - Part 2Jiri Danihelka
 
UWP apps development - Part 1
UWP apps development - Part 1UWP apps development - Part 1
UWP apps development - Part 1Jiri Danihelka
 
Designing Windows apps with Xaml
Designing Windows apps with XamlDesigning Windows apps with Xaml
Designing Windows apps with XamlJiri Danihelka
 
Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Jiri Danihelka
 
Blend for Visual Studio 2015
Blend for Visual Studio 2015Blend for Visual Studio 2015
Blend for Visual Studio 2015Jiri Danihelka
 
Windows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsWindows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsJiri Danihelka
 
Programování Windows 8
Programování Windows 8Programování Windows 8
Programování Windows 8Jiri Danihelka
 
Vývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensVývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensJiri Danihelka
 
Interaktivní 3D služby v cloudu
Interaktivní 3D služby v clouduInteraktivní 3D služby v cloudu
Interaktivní 3D služby v clouduJiri Danihelka
 

More from Jiri Danihelka (20)

Distributed Mobile Graphics
Distributed Mobile GraphicsDistributed Mobile Graphics
Distributed Mobile Graphics
 
Mixed reality for Windows 10
Mixed reality for Windows 10Mixed reality for Windows 10
Mixed reality for Windows 10
 
New Xaml components for Windows developers
New Xaml components for Windows developersNew Xaml components for Windows developers
New Xaml components for Windows developers
 
MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10
 
An introduction to development of universal applications
An introduction to development of universal applicationsAn introduction to development of universal applications
An introduction to development of universal applications
 
Windows game development with Unity 5
Windows game development with Unity 5Windows game development with Unity 5
Windows game development with Unity 5
 
Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2
 
Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1
 
Prism library and MVVM
Prism library and MVVMPrism library and MVVM
Prism library and MVVM
 
UWP apps development - Part 3
UWP apps development - Part 3UWP apps development - Part 3
UWP apps development - Part 3
 
UWP apps development - Part 2
UWP apps development - Part 2UWP apps development - Part 2
UWP apps development - Part 2
 
UWP apps development - Part 1
UWP apps development - Part 1UWP apps development - Part 1
UWP apps development - Part 1
 
Designing Windows apps with Xaml
Designing Windows apps with XamlDesigning Windows apps with Xaml
Designing Windows apps with Xaml
 
Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10
 
Windows UX
Windows UXWindows UX
Windows UX
 
Blend for Visual Studio 2015
Blend for Visual Studio 2015Blend for Visual Studio 2015
Blend for Visual Studio 2015
 
Windows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsWindows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed Graphics
 
Programování Windows 8
Programování Windows 8Programování Windows 8
Programování Windows 8
 
Vývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensVývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLens
 
Interaktivní 3D služby v cloudu
Interaktivní 3D služby v clouduInteraktivní 3D služby v cloudu
Interaktivní 3D služby v cloudu
 

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Top 10 security risks for mobile backend developers

  • 1. Top 10 Security Risks for Mobile Backend Developers 22.8.2016 Jiří Danihelka
  • 2. 1. SQL Injection Recommendations:  Always use a database library that is immune to SQL injections (e.g. Entity Framework).  Do not create SQL command by string concatenations. Do not rely just on character encoding. 2
  • 3. 2. Cross Site Scripting and JavaScript Injection Recommendations:  Always HTML-encode user strings before putting them to the web page. ASP.Net does this automatically unless you use @Html.Raw(...); function or a similar one.  Treat page parameters (e.g. GET parameters, cookies, ...) as a user input.  Do not allow '<' and '>' in user inputs. (Administrators that create content may be an exception.)  Users should not write HTML markup - use a different markup for them e.g. BB Code. (Administrators that create content may be an exception.) 3
  • 4. 3. Broken Authentication and Session Management Recommendations:  Do not put session authentication token into URL, put it into cookies.  Users with disabled cookies should not have access to sites that need authentication. 4  Passwords or session tokens are stored in insecure places like:  URL parameters  Application logs  Sharing URL on social networks  Log: Error function ‘LoginUser’ failed – the arguments were Login=‘John’, Password=‘helllo’
  • 5. 4. Insecure Direct Object References Recommendations:  Always check the permission user when executing requests. Just hiding the unavailable options is not secure enough.  Optionally use ids of your objects that are hard to guess and iterate - e.g. GUID values. 5
  • 6. 5. Cross Site Request Forgery Recommendations:  Either use ASP.Net anti-forgery tokens for forms ...  ... or check the request origin against a whitelist of legitimate domains. 6
  • 7. 6. Security Misconfiguration Recommendations:  This topic is very broad and it is hard to give a general recommendation.  Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout). 7  Change default passwords  Do not store production credentials in the repository  Use different credentials in Dev and Live envoroments
  • 8. 7. Insecure Cryptographic Storage Recommendations:  Store passwords in an encrypted form (not in plaintext).  Use one-way encryption of passwords using hashing.  Use policies for password length and complexity to mitigate brute-force attacks.  Use hashing with a random seed to avoid rainbow table attacks. 8  Storage of:  Passwords  Credit card numbers  Bank account details  Any sensitive data  Additional level of protection when the database leaks
  • 9. 8. Failure to Restrict URL Access Recommendations:  Always check user permission when accessing a restricted page.  Do not just hide links to the pages, the user can manually type the path. 9
  • 10. 9. Insufficient Transport Layer Protection Recommendations:  Always use HTTPS for login pages.  Do not combine secure and insecure content on a single page (e.g. using Iframes). 10
  • 11. 10. Unvalidated Redirects and Forwards Recommendations:  When you embed a 3rd party object to your page (e.g. YouTube video) based on a URL parameter check it first against a whitelist.  Also use a similar whitelist when your page redirects or forwards to a 3rd party page based on a URL parameter. 11