Uploaded byshyamsesh
PPTX, PDF169 views

Demystifying Web Application Security - JSFoo 2018

The document presents an overview of application security, discussing various threats such as XSS, CSRF, and basic principles of trust in web applications. It emphasizes the importance of secure data transmission, proper access control, and the need for regular updates and audits to safeguard application integrity. The discussion also highlights the critical role of developers in maintaining security standards amid evolving vulnerabilities.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
Demystifying Application Security Shyam Seshadri
Today’s Agenda • XSS (Cross Site Scripting) • CSRF (Cross Site Request Forgery) • JSON Attacks • Click-jacking • Click-baiting • PTSD • RSS • …
THIS IS WHY IT IS HARD TO START LEARNING ABOUT (WEB) SECURITY!
The Real Agenda. • Evolution of security • Understanding the real threat • Attack vectors • Thinking about security
About Me What I doWhat I’ve done What I’ve written
Life before the internet!
Web 1.0 • Server security all that mattered • Standards – XSS – CSRF • We just started figuring these out when…
Web 2.0
JS Explosion!! • Everything that used to be the realm of the server is now being done on the client • Routing • Business Logic • Access Control (Gasp!!)
Framework Developers!
Whose job is Security anyway?
Where’s the threat?
The real threat!
Possible security exploits • OWASP Top 10 • But what about the others? • A new exploit almost every other day • So how do you deal with this?
It starts with trust
Would you trust him?
Would you trust him?
But what if??
Fundamental Rule of Security Be like Mad-Eye Moody!
Think Attack Vectors! TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Fundamental rule of security • Never trust! – Especially the client and user input! • Question every data element – and it’s source – and how it’s transmitted – and how it’s stored – Err on the side of caution • Role / User Based Access Control a must on the server!
My corollary Convenience / laziness is the simplest path to security hell!
Convenience – the pathway to hell
Let’s talk about trust TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Thinking about trust • Source? • Mutable or pristine? • Impact of trusting?
Identity in Web Apps
Securing Identity in Web Apps • Login – Only time to ask the client who they are – Even then? • Post that – Trust the server generated session id or token, not the user • Don’t forget – Check Authentication – Check Authorization • Don’t believe the client
Transmission TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Secure transmission in web apps • Either you reinvent HTTPS on the client and your server – Build your crazy cryptographic solution – That resides on the client… • or just use HTTPS! • And don’t let JS and HTTP read your cookies! – Use secure, httpOnly cookies! Every non-secure transmission is a leak waiting to happen!
Storage TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Securing data in web apps • How and what? – Transient or Stored? – Uniquely identifiable? – Needed or convenient? • Where? – On the client – On the server – Impact of leakage of the data? – Not all data is created equal • Access?
Cryptography TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Cryptography Don’t reinvent the wheel!
Credentials TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Credentials • Are your DB / AWS / XYZ credentials – Hard-coded in your code? – Checked in to your version control? – Provided to even the janitor at your company? • You are doing it wrong! • Never checked in! • Rotate credentials! • Need to know basis! – And no one needs to know!
Updates & Libraries TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Updates • Don’t wait for a mandatory, forced upgrade • Make it hygiene • Smaller, regular updates easier than forced, large updates
Audit Logs TrustTransmission Storage Cryptography Credentials & Access Outdated / vulnerable libraries Audit logs
Audit Logs • It’s too late by the time you need it! • Trustworthy? • Comprehensive?
Your cheatsheet • Ask yourself this – Do I trust this data from the server / client? – Do I need this entire data to be sent to the client or only a part of it? – Can this user actually perform this action on this resource? – Should I persist this data in the client? – Is it being securely transmitted? – Is it stored securely? – Using the right / latest libraries?
Thank you Any Questions?

More Related Content

PPTX
Continuous Integration and Quality Development
byGareth Davies
 
PPTX
ZeroNights2013 testing of password policy
byAnton Dedov
 
PPTX
Consuming REST in .NET
byAaron Stannard
 
PDF
Webinar: Security Mindset for WordPress
byWP Engine
 
PPTX
2013 michael coates-javaone
byMichael Coates
 
PPTX
Secure rest api on microservices vws2016
byQuý Nguyễn Minh
 
PPTX
Your Web Application Is Most Likely Insecure
byAchievers Tech
 
PDF
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
Continuous Integration and Quality Development
byGareth Davies
 
ZeroNights2013 testing of password policy
byAnton Dedov
 
Consuming REST in .NET
byAaron Stannard
 
Webinar: Security Mindset for WordPress
byWP Engine
 
2013 michael coates-javaone
byMichael Coates
 
Secure rest api on microservices vws2016
byQuý Nguyễn Minh
 
Your Web Application Is Most Likely Insecure
byAchievers Tech
 
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 

What's hot

PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PPTX
Content Security Policy ByPass
byPawanJaiswal39
 
PPTX
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
PPTX
Badass Microservices - deploy, build & scale your apps with Payara Micro
byPayara
 
PDF
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
PDF
Secure Web Services
byRob Daigneau
 
PPTX
JavaEE Microservices -the Payara Way
byPayara
 
PPTX
Securing the Heart of Automated Infrastructure
byjamfish728
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
PPTX
AWS Security Strategy
by2nd Sight Lab
 
PPTX
Grokking microservices in 5 minutes
byAndrew Siemer
 
PPTX
Security guidelines
bykarthz
 
PDF
WordPress Security Basics
byRyan Plas
 
PDF
Jobvite: A Holistic Approach to Security
byTheodore Kim
 
PPTX
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
TDD a REST API With Node.js and MongoDB
byValeri Karpov
 
PDF
Web hackingtools 2015
byColdFusionConference
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Content Security Policy ByPass
byPawanJaiswal39
 
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
Badass Microservices - deploy, build & scale your apps with Payara Micro
byPayara
 
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
Secure Web Services
byRob Daigneau
 
JavaEE Microservices -the Payara Way
byPayara
 
Securing the Heart of Automated Infrastructure
byjamfish728
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
AWS Security Strategy
by2nd Sight Lab
 
Grokking microservices in 5 minutes
byAndrew Siemer
 
Security guidelines
bykarthz
 
WordPress Security Basics
byRyan Plas
 
Jobvite: A Holistic Approach to Security
byTheodore Kim
 
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
TDD a REST API With Node.js and MongoDB
byValeri Karpov
 
Web hackingtools 2015
byColdFusionConference
 

Similar to Demystifying Web Application Security - JSFoo 2018

PPT
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPTX
00. introduction to app sec v3
byEoin Keary
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PPT
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Web Application Security Testing Guide | Secure Web Apps
bydigitaljignect
 
PDF
Crash Course In Brain Surgery
bymorisson
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PPTX
Top web apps security vulnerabilities
byAleksandar Bozinovski
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
PDF
C01461422
byIOSR Journals
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PPTX
State of the information security nation
bySensePost
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PPTX
Application Security - Myth or Fact Slides
bydfgrumpy
 
PPTX
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
00. introduction to app sec v3
byEoin Keary
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
Sql securitytesting
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
Web Application Security Testing Guide | Secure Web Apps
bydigitaljignect
 
Crash Course In Brain Surgery
bymorisson
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Top web apps security vulnerabilities
byAleksandar Bozinovski
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
C01461422
byIOSR Journals
 
Owasp top 10_openwest_2019
bySean Jackson
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
State of the information security nation
bySensePost
 
OWASP Top Ten in Practice
bySecurity Innovation
 
Application Security - Myth or Fact Slides
bydfgrumpy
 
Hackers versus Developers and Secure Web Programming
byAkash Mahajan
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
CyberSecurityppt. pptx
byiamayesha2526
 

Recently uploaded

PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 

Demystifying Web Application Security - JSFoo 2018

Editor's Notes

  • #8 Physical security all that mattered!
  • #29 Do you trust the provider of the identity?