Successfully reported this slideshow.

The Anti pattern

0

Share

Aug. 05, 2013
0 likes 444 views
Upcoming SlideShare
Intro to Python
Intro to Python
Loading in …3
×
1 of 13
1 of 13

The Anti pattern

Aug. 05, 2013
0 likes 444 views

0

Share

Download to read offline

Technology Lifestyle

Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.

Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.

Technology Lifestyle

Recommended

More Related Content

Featured

Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
Shorter ER Wait Times
Knowledge@Wharton
Asia's Artificial Intelligence Agenda. MIT Technology Review
Alexander Jarvis
Martin Luther King's Pearl Of Wisdom!
SurveyCrest
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell
Inaugural Addresses
Booz Allen Hamilton
How to think like a startup
Loic Le Meur

Related Books

Free with a 14 day trial from Scribd

See all
Now What?: How to Move Forward When We're Divided (About Basically Everything) Sarah Stewart Holland
(3.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
The Art of War Sun Tsu
(3/5)
Free
Decluttering at the Speed of Life: Winning Your Never-Ending Battle with Stuff Dana K. White
(4.5/5)
Free
The 7 Habits of Highly Effective People Stephen R. Covey
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The unBalanced Life: 10 Principles for a More Balanced Life Pierre Quinn
(3.5/5)
Free
The Four Keys to Sustainable Success Patricia Grabarek PhD
(4.5/5)
Free
Be the Love: Seven Ways to Unlock Your Heart and Manifest Happiness Sarah Prout
(0/5)
Free
Radical Confidence: 10 No-BS Lessons on Becoming the Hero of Your Own Life Lisa Bilyeu
(5/5)
Free
The Mom Friend Guide to Everyday Safety and Security: Tips from the Practical One in Your Squad Cathy Pedrayes
(3/5)
Free
Plays Well with Others: The Surprising Science Behind Why Everything You Know About Relationships is (Mostly) Wrong Eric Barker
(5/5)
Free
Speak: Find Your Voice, Trust Your Gut, and Get From Where You Are to Where You Want To Be Tunde Oyeneyin
(5/5)
Free
Courage and Crucibles: Leadership in Challenging Times Pierre Quinn
(5/5)
Free
Do You Know Who I Am?: Battling Imposter Syndrome in Hollywood Jeremy Fall
(4/5)
Free
Life Lessons Harry Potter Taught Me: Discover the Magic of Friendship, Family, Courage, and Love in Your Life Jill Kolongowski
(3/5)
Free
Self-Help for the Helpless: A Beginner's Guide to Personal Development, Understanding Self-care, and Becoming Your Authentic Self Shelley Wilson
(4.5/5)
Free
Mindset Shifts: Embracing a Life of Personal Growth Tara Omorogbe
(4.5/5)
Free
One Degree of Connection: Networking Your Network Laura Mignott
(4/5)
Free
Stress and Stressors: Avoiding and Managing Stress and Burnout at Work Brandy Payne
(3.5/5)
Free
Full Out: Lessons in Life and Leadership from America's Favorite Coach Monica Aldama
(4/5)
Free
How to Host a Viking Funeral: The Case for Burning Your Regrets, Chasing Your Crazy Ideas, and Becoming the Person You're Meant to Be Kyle Scheele
(5/5)
Free

The Anti pattern

  1. 1. The Anti-Pattern input = GET[ “username” ] statement = “code “ + input execute( statement )
  2. 2. The Anti-Pattern • sql • ldap • eval • response.write • file.open • reflection • control.the.computer INPUT EXECUTE
  3. 3. Anti-Anti Patterns
  4. 4. Code not Text! Text query languages suck. Critera & Entity API: WIN
  5. 5. Code not Text Root<Pet> pet = cq.from(Pet.class) cq.where(cb.equals(pet.get(Pet_.name), input)) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
  6. 6. Fear String.Concat Parameterized Queries: use wildcards instead of concatenating user input
  7. 7. Remove String.Concat s = “SELECT FROM pet WHERE pet.name = @name“ ps = prepare( s ) ps.bind(“@name”, input) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
  8. 8. Defense in depth
  9. 9. INPUT EXECUTE GUARD Exception
  10. 10. Defense in Depth input = GET[ “username” ] if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception() }
  11. 11. Summary • Most common security coding vulns are variants of the same anti-pattern • Use easy safe-by-design API – Entity & Criteria API – SQLi is hard =) • Fear String.Concat – String operations are the mother of all evil – Parameterize if you must stick to text! • Defend in Depth! – The anti-pattern can also be broken by input validation.

×