SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.
Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.
4.
Code not Text!
Text query languages suck.
Critera & Entity API: WIN
5.
Code not Text
Root<Pet> pet = cq.from(Pet.class)
cq.where(cb.equals(pet.get(Pet_.name), input))
s = “SELECT FROM pet WHERE pet.name =“ + input
executeSQL( s )
6.
Fear String.Concat
Parameterized Queries: use
wildcards instead of
concatenating user input
7.
Remove String.Concat
s = “SELECT FROM pet WHERE pet.name = @name“
ps = prepare( s )
ps.bind(“@name”, input)
s = “SELECT FROM pet WHERE pet.name =“ + input
executeSQL( s )
10.
Defense in Depth
input = GET[ “username” ]
if (whitelist.bad( input )) {
secLog(“reject…”)
throw new Exception()
}
11.
Summary
• Most common security coding vulns are
variants of the same anti-pattern
• Use easy safe-by-design API
– Entity & Criteria API – SQLi is hard =)
• Fear String.Concat
– String operations are the mother of all evil
– Parameterize if you must stick to text!
• Defend in Depth!
– The anti-pattern can also be broken by input
validation.
0 likes
Be the first to like this
Views
Total views
444
On SlideShare
0
From Embeds
0
Number of Embeds
120
You have now unlocked unlimited access to 20M+ documents!
Unlimited Reading
Learn faster and smarter from top experts
Unlimited Downloading
Download to take your learnings offline and on the go
You also get free access to Scribd!
Instant access to millions of ebooks, audiobooks, magazines, podcasts and more.
Read and listen offline with any device.
Free access to premium services like Tuneln, Mubi and more.