SlideShare a Scribd company logo
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1
PENTESTER
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Boy Baukema
Senior Application Security Consultant
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Adrian H.
Pentester
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Adrian H.
Enemy nr. 1
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5
Agenda
• Introduction
• Bare fists
• Baseball bats (Lucille)
• Assorted items
• Conclusions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7
Known
Vulnerabilities
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12
Attack: Known Vulnerabilities
Your application Other applications
Framework (Composer) Libraries
PHP Interpreter
Webserver (Apache, Nginx) Other services
Operating System
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13
https://snyk.io/blog/owasp-top-10-breaches/
Top of the charts
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14
Defense: Monitoring & patching
• Monitor security patches for third party
software
• Be prepared to fix rapidly (DevOps)
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15
Docker effect
Your application
Your Framework Your (Composer) Libraries
Your PHP Interpreter
Your Webserver (Apache,
Nginx)
Your other services
Operating System
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16
Injection
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17
I blame Doug Mclroy, and so should you
Write programs to
handle text streams,
because that is a
universal interface.
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18
Angular templates
Content
CSS
CSV
HTTP Header
HTML
JavaScript / JSON
URL
XML
…
CSV
Database (ORM)
File paths
HTTP
LDAP
Logs (syslog)
Memcached
Shell
Solr
…
Eval
Math
Sprintf
Regexp
…
APPLICATION
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19
Little bit of template code, many contexts
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20
PHP HTM
L JS URL
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES21
Attack: Breaking out into the URL
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES22
Attack: Breaking out into JavaScript
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES23
Attack: Breaking out into HTML
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES24
Defense: Separation of Concerns &
Contextual encoding ALAP
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES25
Defense: Validate ASAP
• Does it have a datatype?
• Can it be of infinite length?
– Does your storage impose size
limits?
• Can it be any arbitrary byte?
– Should it conform to a pattern?
– Should it match a known value in
the data storage?
– Should it be UTF-8? Printable?
http://phpsecurity.readthedocs.io/en/latest/Input-Validation.html
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES26
Validate HTML Script content
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES27
Defense: Immutable Value Object
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES28
So much more…
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29
• OWASP Top 10
• OWASP Application Security
Verification Standard
(ASVS)
• OWASP Testing Guide
• MITRE Common Weakness
Enumeration
• github.com/PaulSec/
awesome-sec-talks
• https://h1.sintheticlabs.com/
bounties.html
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30
Training
• Basics:
– Zend Certification
• Advanced:
– OWASP
– Security Vendor
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31
• NULL byte attacks
• JSON </script> injection
• XML External Entities
• Preg_match /e
• Remote File Inclusion
• HTTP Header injection
Deprecated attacks
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32
Improved features
• random_bytes
• password_hash
• htmlentities defaults
• Blade / Twig
• PSR-7 (vs $_ globals)
• PDO Prepared Statements
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
If you know the pentester
but not yourself, for every
validation added you will
also suffer a security bug.
― Sun Tzu
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34
• Accessibility
• Availability
• Backup
• Compliance
• Documentation
• Fun
• Maintainability
Non-functional requirements
• Performance
• Platform compatibility
• Reporting
• Scalability
• Security
• Usability
wikipedia.org/wiki/Non-functional_requirement
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES35
Security Requirements
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES36
Security Grooming
• Security Champion
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES37
Quick and dirty threat modelling
1. What are you building?
2. What can go wrong?
3. What should you do about
that?
4. Did you analyse that
correctly?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES38
As a user I would
like to reset my
password if I
have forgotten it.
What are we building?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES39
• Spoofing
• Tampering
• Repudiation
• Information leakage
• Denial of Service
• Elevation of Privilege
What can go wrong?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES40
What should we do?
• … and did we analyse
correctly?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES41
Доверяй, но проверяй
• Embedding security:
– Code Review
– Functional Testing
– Unit testing
– Security Testing (OWASP ASVS)
• Security tooling:
– Static Application Security Testing (SAST)
– Dynamic Application Security Testing
(DAST)
– Fuzzing
– Manual Penetration Testing
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES42
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES43
Operations
• Password hygiene:
– Password Manager
– 2 Factor Authentication
– Have I Been Pwned?
• PhishMe
• Encrypted storage
• Testing system recoveries
• Firewall
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES44
PENTESTER
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES45
PENTESTER
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES46 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
Thank You
joind.in/talk/f8142
veracode.com/demo
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES47
Images
• Brain by Nicholas Herdeman
https://www.flickr.com/photos/95943853@N00/17584291945/
• CCTV by Peter Hellberg
https://www.flickr.com/photos/peterhellberg/5119089864
• Doug McIlroy by Faces of Open Source
http://facesofopensource.com/doug-mcilroy/
• 125/365 Dolls in the Rain by Joe Lodge
https://www.flickr.com/photos/joe57spike/5690570945

More Related Content

More from Boy Baukema

Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
Boy Baukema
 
Dpc14 security as part of Quality Assurance
Dpc14   security as part of Quality AssuranceDpc14   security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
Boy Baukema
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and Mobile
Boy Baukema
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014
Boy Baukema
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
Boy Baukema
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love It
Boy Baukema
 

More from Boy Baukema (6)

Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
 
Dpc14 security as part of Quality Assurance
Dpc14   security as part of Quality AssuranceDpc14   security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and Mobile
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love It
 

Recently uploaded

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

Beating the Pentester

  • 1. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 PENTESTER
  • 2. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES. Boy Baukema Senior Application Security Consultant
  • 3. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES. Adrian H. Pentester
  • 4. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES. Adrian H. Enemy nr. 1
  • 5. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 Agenda • Introduction • Bare fists • Baseball bats (Lucille) • Assorted items • Conclusions
  • 6. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6
  • 7. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 Known Vulnerabilities
  • 8. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8
  • 9. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9
  • 10. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10
  • 11. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11
  • 12. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 Attack: Known Vulnerabilities Your application Other applications Framework (Composer) Libraries PHP Interpreter Webserver (Apache, Nginx) Other services Operating System
  • 13. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 https://snyk.io/blog/owasp-top-10-breaches/ Top of the charts
  • 14. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 Defense: Monitoring & patching • Monitor security patches for third party software • Be prepared to fix rapidly (DevOps)
  • 15. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 Docker effect Your application Your Framework Your (Composer) Libraries Your PHP Interpreter Your Webserver (Apache, Nginx) Your other services Operating System
  • 16. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16 Injection
  • 17. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 I blame Doug Mclroy, and so should you Write programs to handle text streams, because that is a universal interface.
  • 18. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 Angular templates Content CSS CSV HTTP Header HTML JavaScript / JSON URL XML … CSV Database (ORM) File paths HTTP LDAP Logs (syslog) Memcached Shell Solr … Eval Math Sprintf Regexp … APPLICATION
  • 19. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19 Little bit of template code, many contexts
  • 20. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20 PHP HTM L JS URL
  • 21. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES21 Attack: Breaking out into the URL
  • 22. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES22 Attack: Breaking out into JavaScript
  • 23. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES23 Attack: Breaking out into HTML
  • 24. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES24 Defense: Separation of Concerns & Contextual encoding ALAP
  • 25. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES25 Defense: Validate ASAP • Does it have a datatype? • Can it be of infinite length? – Does your storage impose size limits? • Can it be any arbitrary byte? – Should it conform to a pattern? – Should it match a known value in the data storage? – Should it be UTF-8? Printable? http://phpsecurity.readthedocs.io/en/latest/Input-Validation.html
  • 26. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES26 Validate HTML Script content
  • 27. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES27 Defense: Immutable Value Object
  • 28. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES28 So much more…
  • 29. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29 • OWASP Top 10 • OWASP Application Security Verification Standard (ASVS) • OWASP Testing Guide • MITRE Common Weakness Enumeration • github.com/PaulSec/ awesome-sec-talks • https://h1.sintheticlabs.com/ bounties.html
  • 30. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30 Training • Basics: – Zend Certification • Advanced: – OWASP – Security Vendor
  • 31. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31 • NULL byte attacks • JSON </script> injection • XML External Entities • Preg_match /e • Remote File Inclusion • HTTP Header injection Deprecated attacks
  • 32. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32 Improved features • random_bytes • password_hash • htmlentities defaults • Blade / Twig • PSR-7 (vs $_ globals) • PDO Prepared Statements
  • 33. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES If you know the pentester but not yourself, for every validation added you will also suffer a security bug. ― Sun Tzu
  • 34. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34 • Accessibility • Availability • Backup • Compliance • Documentation • Fun • Maintainability Non-functional requirements • Performance • Platform compatibility • Reporting • Scalability • Security • Usability wikipedia.org/wiki/Non-functional_requirement
  • 35. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES35 Security Requirements
  • 36. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES36 Security Grooming • Security Champion
  • 37. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES37 Quick and dirty threat modelling 1. What are you building? 2. What can go wrong? 3. What should you do about that? 4. Did you analyse that correctly?
  • 38. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES38 As a user I would like to reset my password if I have forgotten it. What are we building?
  • 39. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES39 • Spoofing • Tampering • Repudiation • Information leakage • Denial of Service • Elevation of Privilege What can go wrong?
  • 40. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES40 What should we do? • … and did we analyse correctly?
  • 41. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES41 Доверяй, но проверяй • Embedding security: – Code Review – Functional Testing – Unit testing – Security Testing (OWASP ASVS) • Security tooling: – Static Application Security Testing (SAST) – Dynamic Application Security Testing (DAST) – Fuzzing – Manual Penetration Testing
  • 42. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES42
  • 43. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES43 Operations • Password hygiene: – Password Manager – 2 Factor Authentication – Have I Been Pwned? • PhishMe • Encrypted storage • Testing system recoveries • Firewall
  • 44. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES44 PENTESTER
  • 45. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES45 PENTESTER
  • 46. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES46 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES. Thank You joind.in/talk/f8142 veracode.com/demo
  • 47. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES47 Images • Brain by Nicholas Herdeman https://www.flickr.com/photos/95943853@N00/17584291945/ • CCTV by Peter Hellberg https://www.flickr.com/photos/peterhellberg/5119089864 • Doug McIlroy by Faces of Open Source http://facesofopensource.com/doug-mcilroy/ • 125/365 Dolls in the Rain by Joe Lodge https://www.flickr.com/photos/joe57spike/5690570945