SlideShare a Scribd company logo
“ Con un grande potere derivano Grandi responsabilità ”* *nb: not actual quote - Uncle Ben flickr.com/photos/ilcello
Who are you? Christian Frichot flickr.com/photos/lwr flickr.com/photos/jmilles
What are you on about?
flickr.com/photos/jurvetson
flickr.com/photos/meg
flickr.com/photos/muehlinghaus
flickr.com/photos/purpleslog
flickr.com/photos/pixelfrenzy
flickr.com/photos/kogakure
flickr.com/photos/elfsternberg
flickr.com/photos/a_mason
flickr.com/photos/rzrxtion
flickr.com/photos/bahkubean
flickr.com/photos/kevinsteele
flickr.com/photos/helfyland
flickr.com/photos/meg
flickr.com/photos/fbouly
[object Object],[object Object],[object Object],[object Object]
One out of 11 minutes is spent Social networking
“ The most recent figures from Hitwise show Facebook secured 7.07% of hits in the United States during the week ending March 13.”
flickr.com/photos/alancleaver
 
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
flickr.com/photos/sebastiagiralt
flickr.com/photos/herry
flickr.com/photos/23905174@N00
[object Object]
[object Object]
[object Object]
[object Object],Javelin Strategy & Research 2010 Identity Fraud Survey Report
flickr.com/photos/hmvh
flickr.com/photos/negatyf
[object Object],[object Object],[object Object],[object Object],[object Object]
(Ab)use case - example
[object Object]
[object Object]
flickr.com/photos/8363028@N08
(Ab)use case - example
Internet Management Interface (HTTPS) Admin
Internet Management Interface (HTTPS) 1. Login POST /Admin/Login.aspx HTTP/1.1 Username=admin&password=T0ps3cr3t Admin
Internet Management Interface (HTTPS) 2. Browse the Net Admin
Internet Management Interface (HTTPS) 3. Check mail Admin
Internet Management Interface (HTTPS) 3. Check mail CSRF-able Admin
Internet Management Interface (HTTPS) 4. Receives mail from ex employee Admin
Internet Management Interface (HTTPS) 5. Automatic, unauthorised request ie: <img src=“https://10.0.0.10/Admin/Shutdown.aspx?t=now” /> GET /Admin/Shutdown.aspx?t=now HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Admin
Internet Management Interface (HTTPS) 5. No more SAN. Admin
[object Object],[object Object],[object Object]
flickr.com/photos/soloflight
Recommendations ,[object Object],[object Object],[object Object],[object Object]
flickr.com/photos/tambako
flickr.com/photos/delhaye
flickr.com/photos/sarflondondunc
http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
 
 
flickr.com/photos/fabiogis50
flickr.com/photos/markop
www.owasp.org
flickr.com/photos/st3f4n
flickr.com/photos/kolya
 
[object Object],[object Object],[object Object],[object Object],[object Object]
 
 
 
 
 
 
[object Object]
[object Object]
[object Object],[object Object]
[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Authenticator interface ,[object Object],[object Object],[object Object],[object Object]
AccessController Interface ,[object Object],[object Object],[object Object]
HTTPUtilities Interface ,[object Object],[object Object],[object Object],[object Object]
flickr.com/photos/st3f4n
flickr.com/photos/onkel_wart
flickr.com/photos/sophistechate
flickr.com/photos/dalbera
[object Object]

More Related Content

Similar to Barcamp Perth 4.0 Web Security

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
WSO2
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
DevDay Da Nang
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
jtmelton
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015
Joe Ferguson
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practices
Marian Marinov
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
Gajendra Saini
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
WSO2
 

Similar to Barcamp Perth 4.0 Web Security (20)

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Api security-eic-prabath
Api security-eic-prabathApi security-eic-prabath
Api security-eic-prabath
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018
 
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015 Secure Form Processing and Protection - Devspace 2015
Secure Form Processing and Protection - Devspace 2015
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Application Security
Application SecurityApplication Security
Application Security
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Common hacking practices
Common hacking practicesCommon hacking practices
Common hacking practices
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 

Barcamp Perth 4.0 Web Security

Editor's Notes

  1. With Great Power Comes Great Responsibility… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/ilcello/3000073881/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/ilcello/&amp;quot;&gt;http://www.flickr.com/photos/ilcello/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt; http://en.wikipedia.org/wiki/Uncle_Ben#.22With_great_power_comes_great_responsibility.22
  2. Who is this guy?, I hear you thinking.. Well. Hi, I’m Christian Frichot and I’m VERY happy to be presenting here this morning. By Night I’m a drummer, by day I’m an information security specialist for a Bank and I’m 100% geek. (I’m not in management and still try and get my hands dirty as much as I can) &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/lwr/2728818878/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/lwr/&amp;quot;&gt;http://www.flickr.com/photos/lwr/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt; &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jmilles/319926762/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jmilles/&amp;quot;&gt;http://www.flickr.com/photos/jmilles/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  3. But what am I on about?
  4. Well I’ll be talking about the Internet… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/jurvetson/916142/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/jurvetson/&amp;quot;&gt;http://www.flickr.com/photos/jurvetson/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  5. .. web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  6. And Security.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/muehlinghaus/241755891/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/muehlinghaus/&amp;quot;&gt;http://www.flickr.com/photos/muehlinghaus/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  7. Well.. Web Application security specifically. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/purpleslog/2880224058/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/purpleslog/&amp;quot;&gt;http://www.flickr.com/photos/purpleslog/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  8. Before I begin though I need to let you know that I’m probably less of a “hacker” (()) than most of you.. Whilst I still develop a bit, my current role only gives me freedom to tinker and help build process improving tools..so that’s a bit of…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/3772504547/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/pixelfrenzy/&amp;quot;&gt;http://www.flickr.com/photos/pixelfrenzy/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  9. Django…. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kogakure/2225768345/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kogakure/&amp;quot;&gt;http://www.flickr.com/photos/kogakure/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  10. Perl.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/elfsternberg/4198688510/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/elfsternberg/&amp;quot;&gt;http://www.flickr.com/photos/elfsternberg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  11. And Linux misc shhhhtuff.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/a_mason/4021444/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/a_mason/&amp;quot;&gt;http://www.flickr.com/photos/a_mason/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  12. First though lets talk about the Internet.. It’s ubiquitous, it’s enormous, it’s cute (()). &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/rzrxtion/2698016803/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/rzrxtion/&amp;quot;&gt;http://www.flickr.com/photos/rzrxtion/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  13. Really.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/bahkubean/549310317/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/bahkubean/&amp;quot;&gt;http://www.flickr.com/photos/bahkubean/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  14. Damn… &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kevinsteele/533314156/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kevinsteele/&amp;quot;&gt;http://www.flickr.com/photos/kevinsteele/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  15. Cute. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/helfyland/644620280/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/helfyland/&amp;quot;&gt;http://www.flickr.com/photos/helfyland/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  16. And it’s FILLED with these.. Web applications.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/meg/3537830117/in/set-72157618229062033/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/meg/&amp;quot;&gt;http://www.flickr.com/photos/meg/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  17. Lets not even mention this guy. NetNeilsen’s have reported on the fact that “Social Networking was the global phenomena of 2008” .. 2008.. That was ages ago now.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fbouly/3568409530/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fbouly/&amp;quot;&gt;http://www.flickr.com/photos/fbouly/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nd/2.0/&amp;quot;&gt;CC BY-ND 2.0&lt;/a&gt;&lt;/div&gt;
  18. You remember what happened in 2008?
  19. “ Two Thirds of the world’s Internet population visit social networking or blogging sites” Back then Social networking use to consume 1 in every 15 minutes of global Internet time. (()) Now it’s 1 in every 11.
  20. And then the other week Facebook overtook Google as the most hit website… http://www.smartcompany.com.au/internet/20100318-how-facebook-overtook-google-in-the-us-and-why-your-business-needs-to-act.html
  21. .. And where there are people – there is crime. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/alancleaver/4121423119/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/alancleaver/&amp;quot;&gt;http://www.flickr.com/photos/alancleaver/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  22. In the old days cybercrime was very different.. Crackers were toying with exploitation of web servers for infamy. Usually leading to Defacement. Initially these attackers displayed a degree of “technical skill”.
  23. Things changed as the malware and exploitation industry matured.. Everything started to become available as “Kits” Mpack is one such web exploitation kit that could cost anywhere between $500 – 1000 US and is used to inject malicious code into web pages, either by iframes or PDFs or whatever – install keyloggers, or whatever the user wanted. Soon there was IcePack, FirePack, Traffic Pro and more. This screenshot is of the MPack management interface, so the implementers of the kit could monitor how many PCs they were infecting. http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/20/Mpack.JPG
  24. Whilst MPack was focusing on how to put malicious payloads onto computers, the other end of the malware world was also advancing. The Zeus malware, sometimes called a botnet, is a really nasty keylogger that is well known for evading anti virus and being one of the most effective bank targetting keyloggers out there.. What was happening was the consumerisation of malware construction, maintenance, deployment and implementation This decreased the technical skills required to perform complicated attacks. This is where terms like Script Kiddies and that would come from, people who didn’t necessarily have the knowledge to perform an attack, but knew how to use the tool. http://www.flickr.com/photos/sebastiagiralt/2251661156/
  25. The attackers started to realise that there was a lot of money to be made, not just by installing keyloggers but by stealing peoples identities. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/herry/3321548259/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/herry/&amp;quot;&gt;http://www.flickr.com/photos/herry/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  26. ID theft can lead to all sorts of impacts on consumers: - Using your credit card details - Opening of bank accounts - Taking out loans - Conducting business under your names. Now I know that ID theft is a misnomer because it’s impossible to steal an identity, so it’s often interchanged with identity fraud. There are numerous types including, not just the typical type to gain access to funds but: - Business/commercial identity theft – to use a business name to obtain credit - Criminal identity fraud – if you pose as another when apprehended for a crime - medical identity theft – to obtain access to medicare or drugs. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/23905174@N00/1594411528/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/23905174@N00/&amp;quot;&gt;http://www.flickr.com/photos/23905174@N00/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by/2.0/&amp;quot;&gt;CC BY 2.0&lt;/a&gt;&lt;/div&gt;
  27. Some statistics on id theft in australia (()): - in 2008 about 23% of the population affected
  28. In 2009 26% were affected
  29. The cost of ID theft against Australia is reported to be 3.5 billion dollars annually
  30. Another interesting statistic
  31. But what has this got to do with web apps I’m building? More often than not malicious content that makes its way on to the Internet is not legitimately purchased by the attackers. You think they buy a slicehost Virtual Private Server and host their nasties on there? Supposedly 80% of all phishing sites are hosted on legitimate websites through compromise. Web application vulnerabilities lead to hijacking of legitimate content, for example through the use of file injection attacks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/hmvh/58185411/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/hmvh/&amp;quot;&gt;http://www.flickr.com/photos/hmvh/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-sa/2.0/&amp;quot;&gt;CC BY-SA 2.0&lt;/a&gt;&lt;/div&gt;
  32. But what about if I’m only developing internal apps? Particular types of vulnerabilities thrive in perimeterised networks. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/negatyf/361668397/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/negatyf/&amp;quot;&gt;http://www.flickr.com/photos/negatyf/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  33. Back in 2006 Jeremiah Grossman of WhiteHat Security presented on some of the things that can be done from the Internet against Internal networks through the browser, including: … Everything is web-enabled now. The perimeter is diminishing.
  34. For example… Cross Site Request Forgery attacks. .. Before I continue I’ll explain what cross site request forgery, or CSRF, attacks are. Simply put, a system vulnerable to this will change its state upon the receipt of a request, without any sort of verification (except for the automatically included authentication tokens such as cookies or Authorization HTTP headers).
  35. This is the definition from wiki
  36. If Bob’s bank keeps his authentication information in a cookie, and the cookie hasn’t expired, then the attempt above to load the image will submit the withdrawal form with this cookie, thus authorising the transaction without bob’s approval.
  37. This type of attack is known as a “confused deputy attack”. The deputy in the example is Bob’s web browser which is confused into misusing bob’s authority at mallory’s direction. http://www.flickr.com/photos/8363028@N08/4209230521/
  38. So lets get back to our example.
  39. Lets set the scene.. Here we have a really typical environment.. An admin who sits on an internal network segmented off from the Internet via all sorts of good stuff like firewalls and that. And on this internal network is the management interface for .. Lets say.. Their storage system .. Their SAN.
  40. The admin gets to work and opens a browser and logs into the interface on his SAN. The system is just using BASIC HTTP authentication, but even internally it’s over HTTPS so those credentials are protected from eavesdropping. ..
  41. The status on the SAN looks fine .. So he then does what he normally does and opens up a bunch of tabs to browse around the sites he normally visits.
  42. Maybe this company uses web-mail for their corporate mail ..
  43. I can’t remember if I mentioned that this interface here is susceptible to cross-site request forgeries.. Which means it will change its state upon the receipt of a request, without any sort of verification..
  44. So our admin sees there is an email from an ex employee and opens it up – and within it there is an embedded &lt;img&gt; tag.
  45. Because his browser had previously authenticated, when it submits this IMG request in the form of a HTTP GET to the management interface it includes the Authorization header
  46. Voila..
  47. You’re probably wondering whether or not these actually happen? 1 – 2009 – Moot, the 20-something year old founder of 4chan becomes “the world’s most influential person in government, science, technology and the arts” 2 – Mikeyy Mooney uses a combination of CSRF and XSS to get numerous people tweeting about his site, stalkdaily 3 – 2008 – Trojan utilises CSRF to modify the DNS server configuration of popular DNS routers.
  48. But don’t give up all hope.. There are some good recommendations to help reduce the likelihood of this attack. http://www.flickr.com/photos/soloflight/3010505750/
  49. 1 – Although POSTs can also be automated via Actionscript, javascript, etc 2 – It’s generally accepted that the inclusion of a random nonce, or parameter included within the request and verified through session data is effective, because an attacker will be unlikely to know to include this “parameter” in their forged request.
  50. Confusing? Well I just try and think about all the legacy code out there and the poor chance that the developers would’ve had knowing what to do about these types of issues. http://www.flickr.com/photos/tambako/3593686294/
  51. When web developing firms started to take their application security seriously they used to have to bring in penetration testers, or security testers, to validate their systems at the end of the development lifecycle. These are typically known as.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/delhaye/2276967083/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/delhaye/&amp;quot;&gt;http://www.flickr.com/photos/delhaye/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  52. Breakers. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/sarflondondunc/630250409/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/sarflondondunc/&amp;quot;&gt;http://www.flickr.com/photos/sarflondondunc/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  53. It is commonly recognised that this is the most expensive time to rectify security faults. http://www.microsoft.com/security/sdl/benefits/costeffective.aspx
  54. Security therefore becomes much cheaper and effective during the earlier stages of the lifecycle. The requirements gathering, design and development phases. We like to think of people who assist security in the earlier phases as “builders”.
  55. This shift is happening .. Which means that the responsibility for these issues is also changing. Perhaps to people like yourselves (( ))
  56. But don’t worry – the sky is NOT falling. There are a lot of resources out there.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/fabiogis50/3749609312/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/fabiogis50/&amp;quot;&gt;http://www.flickr.com/photos/fabiogis50/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  57. Including (()) OWASP. .. Which unfortunately has nothing to do with wasps. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/markop/1401429588/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/markop/&amp;quot;&gt;http://www.flickr.com/photos/markop/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-nd/2.0/&amp;quot;&gt;CC BY-NC-ND 2.0&lt;/a&gt;&lt;/div&gt;
  58. The Open Web Application Security Project is an “Open Community dedicated to enabling organisations and individuals to conceive, develop, acquire, operate and maintain applications that can be trusted” Open .. And security? .. I know that sounds like a ..
  59. Paradox..Historically security seemed to be based on secrets and degrees of trust and clearance.. We know generally acknowledge that security through obscurity.. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/st3f4n/4356185807/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/st3f4n/&amp;quot;&gt;http://www.flickr.com/photos/st3f4n/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  60. Just doesn’t work. &lt;div xmlns:cc=&amp;quot;http://creativecommons.org/ns#&amp;quot; about=&amp;quot;http://www.flickr.com/photos/kolya/1307365789/&amp;quot;&gt;&lt;a rel=&amp;quot;cc:attributionURL&amp;quot; href=&amp;quot;http://www.flickr.com/photos/kolya/&amp;quot;&gt;http://www.flickr.com/photos/kolya/&lt;/a&gt; / &lt;a rel=&amp;quot;license&amp;quot; href=&amp;quot;http://creativecommons.org/licenses/by-nc-sa/2.0/&amp;quot;&gt;CC BY-NC-SA 2.0&lt;/a&gt;&lt;/div&gt;
  61. So what does OWASP do? .. What’s it about?
  62. These projects include:
  63. The OWASP Guide – which “is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services.”
  64. The Software Assurance Maturity Model, or SAMM – which “is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. “ (If you’re interested in this look out for an upcoming Australian Information Security Association presentation)..
  65. The OWASP Top Ten, which “represents a broad consensus about what the most critical web application security flaws are”
  66. WebGoat which “is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons”
  67. Webscarab, which “is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.”
  68. And finally the Enterprise Security API or ESAPI. The purpose is simple…
  69. ESAPI is NOT a framework, like Spring or Struts, it’s a set of foundational security controls.
  70. To allow for language-specific differences ESAPI is based on the follow design principles.
  71. These are the controls that are implemented.. And here is a an example using the ESAPI Locator class .. This allows you to retrieve singleton instances of a particular control
  72. This example shows utilising the input validator and output escaping to guard against SQL injection.
  73. To tie back to our previous example of our back end web management interface here are a few controls that ESAPI can bring. Including the Authenticator
  74. Access controller .. So with these two interfaces we no longer have to rely on HTTP Authorization headers
  75. And CSRF tokens.
  76. So where is the ESAPI project at at the moment? Well, the Java version is up to version 2.0 release candidate 6, which means they’ve got a full reference implementation. PHP is well underway with a number of completed controls, but there are some yet to be done. .NET is at around versin 0.2.1, but have implemented a number of controls They’re also working on Cold Fusion Python Javascript Haskell Force.com http://www.flickr.com/photos/st3f4n/2860706946/
  77. So don’t re-invent the wheel..well at least the security wheel. http://www.flickr.com/photos/onkel_wart/4038437003/
  78. And don’t be concerned.. http://www.flickr.com/photos/sophistechate/2758739495/
  79. You guys are empowered to build new ways in which we can communicate.. http://www.flickr.com/photos/dalbera/2738451853/
  80. Just remember what uncle ben didn’t say :P