SlideShare a Scribd company logo

Code Review Reveals Security Flaws in 17k ColdFusion Files

Download as PPTX, PDF
Jisc
Jisc

The document discusses code review of a university's 17,394 ColdFusion source files developed by various skilled and unskilled developers. An initial review found issues like arbitrary file uploads, SQL injection in 29 apps, and XSS vulnerabilities in 33 apps. The review was conducted by recruiting cybersecurity students to examine the code. Most developers were willing to fix issues when notified. The university also implemented security training for developers and embedded automated code review tools to improve security going forward.

Education
1 of 23
Code review
Code Review Richard Fuller, University of York richard.fuller@york.ac.uk
The Problem  17,394 ColdFusion source files  Many hacked together in place  Variety of skilled and unskilled developers – Many of whom don’t work here anymore  Mostly no test versions – Not allowed to poke things (unlike attackers)
OWASP Top 10  Provides a focus for training and review  Initial focus on: – Code execution – SQL injection – XSS
Methodology  Track third level directories in a huge Google Sheet – Owner – Reviewer – Most serious exploit – Status  “Code Review” day  No automated code review tools for ColdFusion, so…
Mechanical Turk  Recruited students on the Cyber Security MSc  Can quickly teach someone to spot flaws in ColdFusion – “ColdFusion for Pentesters” – “Deconstructing ColdFusion”  Decidedly more challenging with complex Java apps  Inability to recreate environment – Makes fixing harder
What did we find?  Arbitrary file upload – Additional misconfiguration allowing access to all web scripts and DB passwords  29 “apps” with SQL injection (mix of public and authenticated)  33 with XSS (mix of stored and reflected)  A few “generate arbitrary e-mail” scripts  Downloadable source code with passwords in (wrong extension, zip files, etc.)  Username stored in cookies
What will you find?
What will you find?  Spoiler: It’s not going to be that different
Really serious stuff  Disable code  Fix web server config
Competent responsible owner  Let the owner know a breakdown of the issues  Offer them our training course  Meet up with people – People start coming to you
Everything else  Asking people to fix their code? No.  Asking if we could fix their code? No.  Promising to remove their code in two weeks? Sort of. – Surprisingly little resistance – Or consequence
Webapp Security Training  Full day course offered to developers across the University  Theory and practical “hacking” exercises – DVWA running in VirtualBox – sqlmap  Find out what languages used in advanced
Embedding code review  Automated, continuous deployment with Jenkins  Code review with Review Board – Helps get more developers familiar with the code – Gets two pairs of eyes on security  Lightweight, but effective
Questions?
jisc.ac.uk Contact Richard Fuller University ofYork richard.fuller@york.ac.uk

Recommended

Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET Journal
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET Journal
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)Shumon Huque
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Network Simulation Projects OMNET++ Ideas
Network Simulation Projects OMNET++ IdeasNetwork Simulation Projects OMNET++ Ideas
Network Simulation Projects OMNET++ IdeasNetwork Simulation Tools
 

Recommended

Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET Journal
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...
IRJET- Sky Shield: A Sketch-Based Defense System against Application Laye...IRJET Journal
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)Shumon Huque
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Network Simulation Projects OMNET++ Ideas
Network Simulation Projects OMNET++ IdeasNetwork Simulation Projects OMNET++ Ideas
Network Simulation Projects OMNET++ IdeasNetwork Simulation Tools
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaKatherine Golovinova
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiKatherine Golovinova
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
uk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentationuk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentationMaksym Schipka
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Gridgueste0b5fe
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
An Open Source Case Study
An Open Source Case StudyAn Open Source Case Study
An Open Source Case Studywebhostingguy
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking InGuy Podjarny
 
Unifying a global university - Networkshop44
Unifying a global university - Networkshop44Unifying a global university - Networkshop44
Unifying a global university - Networkshop44Jisc
 
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44Jisc
 

More Related Content

What's hot

Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaKatherine Golovinova
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Katherine Golovinova
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiKatherine Golovinova
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8sDevOps Indonesia
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
 
uk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentationuk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentationMaksym Schipka
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Gridgueste0b5fe
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
An Open Source Case Study
An Open Source Case StudyAn Open Source Case Study
An Open Source Case Studywebhostingguy
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking InGuy Podjarny
 

What's hot (20)

Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
Microservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro LahozaMicroservices: why you're doing them wrong_Dmytro Lahoza
Microservices: why you're doing them wrong_Dmytro Lahoza
 
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...Test driven development for infrastructure as-a-code, the future trend_Gianfr...
Test driven development for infrastructure as-a-code, the future trend_Gianfr...
 
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro BatiievskyiDevSecOps overview and what one engineer can do_Dmytro Batiievskyi
DevSecOps overview and what one engineer can do_Dmytro Batiievskyi
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
 
uk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentationuk_infosec_190411_-_cloud_presentation
uk_infosec_190411_-_cloud_presentation
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Grid
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
An Open Source Case Study
An Open Source Case StudyAn Open Source Case Study
An Open Source Case Study
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Securing Serverless - By Breaking In
Securing Serverless - By Breaking InSecuring Serverless - By Breaking In
Securing Serverless - By Breaking In
 

Viewers also liked

Unifying a global university - Networkshop44
Unifying a global university - Networkshop44Unifying a global university - Networkshop44
Unifying a global university - Networkshop44Jisc
 
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44Jisc
 
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...Jisc
 
IPv6 experience from a large enterprise - Networkshop44
IPv6 experience from a large enterprise - Networkshop44IPv6 experience from a large enterprise - Networkshop44
IPv6 experience from a large enterprise - Networkshop44Jisc
 
IPv4 address planning - Networkshop44
IPv4 address planning - Networkshop44IPv4 address planning - Networkshop44
IPv4 address planning - Networkshop44Jisc
 
Trust and identity services and architecture - Networkshop44
Trust and identity services and architecture - Networkshop44Trust and identity services and architecture - Networkshop44
Trust and identity services and architecture - Networkshop44Jisc
 
Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Jisc
 
Telephony developments at pirbright - Networkshop44
Telephony developments at pirbright - Networkshop44Telephony developments at pirbright - Networkshop44
Telephony developments at pirbright - Networkshop44Jisc
 
Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Jisc
 
Session initiation protocol (sip) the force awakens in the Janet network comm...
Session initiation protocol (sip) the force awakens in the Janet network comm...Session initiation protocol (sip) the force awakens in the Janet network comm...
Session initiation protocol (sip) the force awakens in the Janet network comm...Jisc
 
Network engineering surgery - Networkshop44
Network engineering surgery - Networkshop44Network engineering surgery - Networkshop44
Network engineering surgery - Networkshop44Jisc
 
The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44Jisc
 
Data centre networking at the University of Bristol - Networkshop44
Data centre networking at the University of Bristol - Networkshop44Data centre networking at the University of Bristol - Networkshop44
Data centre networking at the University of Bristol - Networkshop44Jisc
 
SafeShare - Networkshop44
SafeShare - Networkshop44SafeShare - Networkshop44
SafeShare - Networkshop44Jisc
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Jisc
 
Data networking at UCL - Networkshop44
Data networking at UCL - Networkshop44Data networking at UCL - Networkshop44
Data networking at UCL - Networkshop44Jisc
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44Jisc
 
Handling vulnerability reports - Networkshop44
Handling vulnerability reports - Networkshop44Handling vulnerability reports - Networkshop44
Handling vulnerability reports - Networkshop44Jisc
 
Finding vulnerabilities - networkshop44
Finding vulnerabilities - networkshop44Finding vulnerabilities - networkshop44
Finding vulnerabilities - networkshop44Jisc
 
Ipv6 deployment at the university of reading - Networkshop44
Ipv6 deployment at the university of reading - Networkshop44Ipv6 deployment at the university of reading - Networkshop44
Ipv6 deployment at the university of reading - Networkshop44Jisc
 

Viewers also liked (20)

Unifying a global university - Networkshop44
Unifying a global university - Networkshop44Unifying a global university - Networkshop44
Unifying a global university - Networkshop44
 
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
 
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...
Real world campus wi-fi, and what's coming next - Ruckus Wireless - Networksh...
 
IPv6 experience from a large enterprise - Networkshop44
IPv6 experience from a large enterprise - Networkshop44IPv6 experience from a large enterprise - Networkshop44
IPv6 experience from a large enterprise - Networkshop44
 
IPv4 address planning - Networkshop44
IPv4 address planning - Networkshop44IPv4 address planning - Networkshop44
IPv4 address planning - Networkshop44
 
Trust and identity services and architecture - Networkshop44
Trust and identity services and architecture - Networkshop44Trust and identity services and architecture - Networkshop44
Trust and identity services and architecture - Networkshop44
 
Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44Ipv6 deployment at the university of warwick - networkshop44
Ipv6 deployment at the university of warwick - networkshop44
 
Telephony developments at pirbright - Networkshop44
Telephony developments at pirbright - Networkshop44Telephony developments at pirbright - Networkshop44
Telephony developments at pirbright - Networkshop44
 
Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016
 
Session initiation protocol (sip) the force awakens in the Janet network comm...
Session initiation protocol (sip) the force awakens in the Janet network comm...Session initiation protocol (sip) the force awakens in the Janet network comm...
Session initiation protocol (sip) the force awakens in the Janet network comm...
 
Network engineering surgery - Networkshop44
Network engineering surgery - Networkshop44Network engineering surgery - Networkshop44
Network engineering surgery - Networkshop44
 
The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44The simplification of the campus network Juniper - Networkshop44
The simplification of the campus network Juniper - Networkshop44
 
Data centre networking at the University of Bristol - Networkshop44
Data centre networking at the University of Bristol - Networkshop44Data centre networking at the University of Bristol - Networkshop44
Data centre networking at the University of Bristol - Networkshop44
 
SafeShare - Networkshop44
SafeShare - Networkshop44SafeShare - Networkshop44
SafeShare - Networkshop44
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44
 
Data networking at UCL - Networkshop44
Data networking at UCL - Networkshop44Data networking at UCL - Networkshop44
Data networking at UCL - Networkshop44
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44
 
Handling vulnerability reports - Networkshop44
Handling vulnerability reports - Networkshop44Handling vulnerability reports - Networkshop44
Handling vulnerability reports - Networkshop44
 
Finding vulnerabilities - networkshop44
Finding vulnerabilities - networkshop44Finding vulnerabilities - networkshop44
Finding vulnerabilities - networkshop44
 
Ipv6 deployment at the university of reading - Networkshop44
Ipv6 deployment at the university of reading - Networkshop44Ipv6 deployment at the university of reading - Networkshop44
Ipv6 deployment at the university of reading - Networkshop44
 

Similar to Code Review Reveals Security Flaws in 17k ColdFusion Files

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Gojek Android Engineering at Scale vol 2
Gojek Android Engineering at Scale vol 2Gojek Android Engineering at Scale vol 2
Gojek Android Engineering at Scale vol 2raditya gumay
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
external oleksandr resume 10-17-16
external oleksandr resume 10-17-16 external oleksandr resume 10-17-16
external oleksandr resume 10-17-16 Oleksandr Fidrya
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Vitaly Osipov
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
OSCon - Performance vs Scalability
OSCon - Performance vs ScalabilityOSCon - Performance vs Scalability
OSCon - Performance vs ScalabilityGleicon Moraes
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
N3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoN3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoRafael Seg
 

Similar to Code Review Reveals Security Flaws in 17k ColdFusion Files (20)

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
01.intro
01.intro01.intro
01.intro
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Gojek Android Engineering at Scale vol 2
Gojek Android Engineering at Scale vol 2Gojek Android Engineering at Scale vol 2
Gojek Android Engineering at Scale vol 2
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
external oleksandr resume 10-17-16
external oleksandr resume 10-17-16 external oleksandr resume 10-17-16
external oleksandr resume 10-17-16
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012Security vulnerabilities for grown ups - GOTOcon 2012
Security vulnerabilities for grown ups - GOTOcon 2012
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
OSCon - Performance vs Scalability
OSCon - Performance vs ScalabilityOSCon - Performance vs Scalability
OSCon - Performance vs Scalability
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
N3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detalladoN3XAsec CPTE plan de estudios detallado
N3XAsec CPTE plan de estudios detallado
 

More from Jisc

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 

More from Jisc (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 

Recently uploaded

MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersChitralekhaTherkar
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 

Recently uploaded (20)

MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 

Code Review Reveals Security Flaws in 17k ColdFusion Files

  • 2. Code Review Richard Fuller, University of York richard.fuller@york.ac.uk
  • 3.
  • 4.
  • 5.
  • 6. The Problem  17,394 ColdFusion source files  Many hacked together in place  Variety of skilled and unskilled developers – Many of whom don’t work here anymore  Mostly no test versions – Not allowed to poke things (unlike attackers)
  • 7. OWASP Top 10  Provides a focus for training and review  Initial focus on: – Code execution – SQL injection – XSS
  • 8. Methodology  Track third level directories in a huge Google Sheet – Owner – Reviewer – Most serious exploit – Status  “Code Review” day  No automated code review tools for ColdFusion, so…
  • 9.
  • 10. Mechanical Turk  Recruited students on the Cyber Security MSc  Can quickly teach someone to spot flaws in ColdFusion – “ColdFusion for Pentesters” – “Deconstructing ColdFusion”  Decidedly more challenging with complex Java apps  Inability to recreate environment – Makes fixing harder
  • 11. What did we find?  Arbitrary file upload – Additional misconfiguration allowing access to all web scripts and DB passwords  29 “apps” with SQL injection (mix of public and authenticated)  33 with XSS (mix of stored and reflected)  A few “generate arbitrary e-mail” scripts  Downloadable source code with passwords in (wrong extension, zip files, etc.)  Username stored in cookies
  • 12. What will you find?
  • 13. What will you find?  Spoiler: It’s not going to be that different
  • 14. Really serious stuff  Disable code  Fix web server config
  • 15. Competent responsible owner  Let the owner know a breakdown of the issues  Offer them our training course  Meet up with people – People start coming to you
  • 16. Everything else  Asking people to fix their code? No.  Asking if we could fix their code? No.  Promising to remove their code in two weeks? Sort of. – Surprisingly little resistance – Or consequence
  • 17. Webapp Security Training  Full day course offered to developers across the University  Theory and practical “hacking” exercises – DVWA running in VirtualBox – sqlmap  Find out what languages used in advanced
  • 18.
  • 19. Embedding code review  Automated, continuous deployment with Jenkins  Code review with Review Board – Helps get more developers familiar with the code – Gets two pairs of eyes on security  Lightweight, but effective
  • 20.
  • 21.

Editor's Notes

  1. Sometimes you feel like reviewing code, other times talking to people, can do the tasks at different times Have to be systematic Code review day worked well – stops it being put off, if everyone is working on it can bounce things off each other – makes it fun, sort of Can’t afford tools anyway There is an element of prioritisation, but the objective was to review everything – central and departmental
  2. Application allowing login by e-mail, and entry for blank e-mail address Terrible passwords everywhere Old code alongside new code
  3. Still the challenge of them finding the time to work on things
  4. One person took up our offer of fixing their code. Works for code you think is abandoned. Works for departmental stuff nobody cares about.
  5. Send VM image in advance For some, their first exposure to SQL injection and XSS Mixture of fear and excitement  Some people start hacking their own webapps by the end of the day – result Benefits of engaging with people – find out what they’re working on
  6. Peer review Main aim was actually getting rid of single points of failure – can sell it on that basis, or security Get security embedded
  7. Enterprise systems now using embedded code review process
  8. Can ask security for a code review too