SlideShare a Scribd company logo

Defense In Depth With AOP

nerdybeardo
nerdybeardo

Web application security has never been harder. Our adversary is cunning and clever, and with software becoming more and more complex its harder than ever to ensure security. This presentation is about using Aspect Oriented Programming to help organize our code in a way that makes implementing security practices easier, centrally maintained and helps to bring security to the forefront of the software development process. The aim is to slow or stop our attackers using AOP as our mechanism for achieving this.

Technology
1 of 46
DID with AOP Utilizing Aspect Oriented Programming for better application defense.
DISCLAIMERS 2 Disclaimer One I make no guarantees about beard length. But a beard will always be attached to this sexy face! IN OTHER WORDS DON’T COME CRYING TO ME ON TWITTER AND/OR OTHER SOCIAL NETWORKS THAT YOU MAY OR MAY NOT FIND ME ON! Disclaimer Three I don’t curse in the presence of my family therefore I have brought my family with me so that I don’t have curse in front of you. Disclaimer Two I curse, frequently… sorry… Disclaimer Four Opinions are my own. Advice provided with no warranty. If you go back and implement an algorithm I told you to implement you do so at your own risk. IF YOURE READING AND/OR SEEING THIS BEWARE
OH YEAH…. TWITTER… @NERDYBEARDO 3 https://www.nerdybeardo.com
THE NERDIEST OF BEARDOS 4 ARCHITECT I create pretty diagrams so that business people can understand what you people are saying! WANNABE SECURITY DUDE I study cryptography and computer security for fun. Application security defender/practitioner since someone learned me about SQL injection! DEVELOPER Developer for most of my life, and only job I’ve ever had! HUSBAND/FATHER Against all odds I’ve managed to stay married and pass on my genes (God help us all!) WHO’S THIS JERK ANYWAY!??
CREDENTIALS 5 TOOK 11 YEARS TO GET A DEGREE Yes! I finally got a degree! I LIED I HAVE ONE CERTIFICATION!! … Certified Scrum Master CERTIFICATIONS // TODO: get certified in something ALSO KNOWN AS Scum Master Dragon Master
WHY ARE WE HERE? 6
WHY ARE WE HERE? 7
WHO ARE WE KIDDING… 8
HOW TO APPROACH THIS TALK 9 • This is not the solution to all your security problems! • Security does not always look “logical” but it is! • Look for defense strategies. • Strategies are harder than implementation*! • For developers
Defense In Depth
AS A MILITARY STRATEGY 11 SITUATION Facing a superior fighting force in both resources and numbers. FORMATION Deploy military units, fortifications and resources behind front line. As enemy advances through formations you inflict more and more casualties. Decreasing the effectiveness of the opposing army and drawing them into a war of attrition. GOAL Instead trying to stop the enemies advance, slow down their advance until you can contain the enemy.
EXAMPLE – BATTLE OF CANNE 12
EXAMPLE – BATTLE OF CANNE 13
EXAMPLE – BATTLE OF CANNE 14
EXAMPLE – HOME INVASION 15 MECHANISM Typically no more than a deadbolt RESULT Guys like Bill Sempf can pick that lock in a few minutes! (It may take someone like me a few hours) SECURITY Provides very little security. In fact most of the security is provided simply by the fact that the attacker is scared
EXAMPLE – HOME INVASION DEFENSE IN DEPTH 16
HOME INVASION – DFENSE IN DEPTH 17 MECHANISMS Provide security throughout house. • Intrusion detection systems (ornaments that make noise when stepped on) • Intrusion prevention systems (torch at the perimeter, heavy cans) • “Honey Pots” (unlocked windows) SECURITY • Provides security even when your neighbors aren’t around to prevent home invasion • Security even if a security failure occurs (Joe Pesci kicks door in)
RESULT 18
DEFENSE IN DEPTH – COMPUTER SECURITY 19 • Often confused with “Layered” security • Layered security is usually part of an overall Defense in Depth strategy. • Deploy resources behind the perimeter (front line) • Resources deployed throughout the network • Slow an attackers advance • Raise flags along the way to give the organization time to respond
WHAT IF ONLY PERIMETER WAS SECURED? 20 • Cannot predict everything that can possibly happen! • Failures inevitably happen later in the process when new “things” are changed. • Cannot predict the internal state of your application will be at any one time. • Once perimeter security is penetrated all hell breaks loose!
EXAMPLE – SQL INJECTION 21 Call Home… Now the fun begins SQL user found to have elevated privileges OS Command Executed through SQL Server (xp_cmdshell) Attacker begins Probing for SQL Injection SQL Injection Vulnerability deployed
WEB APPLICATION SECURITY 22 57 % 40 % 19 % 11% url?name=alert(‘you’ve been pwned!’) Insufficient authentication and authorization around critical sections of the application. SELECT * FROM ORM WHERE 1=1; DROP NOPE; -- I THOUGHT I WAS SECURE Finger Printing HTTP Response Splitting Click Jacking etc… XSS INFO LEAK SQL INJECTION OTHER
DEFENSE IN DEPTH – YOUR APPLICATION 23 • Authentication (Ah! Its you!) • Authorization (You may enter..) • Confidentiality (Don’t worry your stuff is safe) • Validation throughout your application (ARRG don’t try to do that!) • Detection of Tampering/Audit Logging (ooo.. You messed with me now you shall feel the wrath!)
Aspect Oriented Programming
ASPECT ORIENTED PROGRAMMING 25 • Developed at Xerox • Deals with “cross cutting concerns” • AKA the copy and paste code you put throughout your codebase. • Examples: • Logging (by the way lots of people thinks this is all its useful for) • Authorization • Authentication • Transactions • General Security
AOP – BASIC TERMINOLOGY 26 • Join Point: The “space” between a call from one object to another. • Point Cut: “Where” you will inject your “advice” • Advice: The code you want to inject • Aspect: The combination of a point cut and advice. • Boundary: Pre defined point cuts
CALL GRAPH 27
YOU’VE ALREADY BEEN USING AOP! (kinda) 28 • Created an IHttpModule • Used a module on Apache or IIS (e.g. ModSecurity) • Created an action filter in ASP.NET MVC • Used Data annotations for validation • Created an web service in .NET • Used forms based authentication • Used a membership or role provider configured through the web.config
Audit Logging 29 • Detect when “bad things” are happening • Log to an audit log • Potentially integrate with SIEM
Demo – Audit Logging
METHOD INTERCEPTION 31 • AOP allows us to intercept a method and manipulate inputs and outputs • Can do things like encrypt output • Gives us the ability to abstract the security “implementation” to a security team. • But gives us control over when to apply it!
Demo - Encryption
VALIDATION 33 • Because we can intercept methods • We can also inspect parameters to our methods • We can automatically validate inputs to our methods
N-TIER ARCHITECTURE 34 PRESENTATION LAYER ASP.NET MVC WEB API WCF SERVICES DOMAIN MODELS CONTRACTS (Interfaces) DATA MODELS/ POCO ENTITIESSERVICE LAYER CONTRACT LAYER DOMAIN/BUSINESS SERVICES APPLICATION SERVICES HELPER CLASSES DATA LAYER CONCRETE REPOSITORIES DATA CONNECTIVITY (CONTEXTS, FILE ACCESS etc )
VALIDATION TAKE 1 35 • Attempted to build a “WAF” inside my application • Apply firewall rules via AOP • Interrogate every parameter to every method for every possible attack vector! • Bad idea!
IF IValidate YouValidate 36 • Applied to the domain model. • Creates self validating objects! • Look for IValidate using AOP • Validate security of the object public interface IValidate { bool IsValid { get; } bool IsSecure { get; } IEnumerable<string> ValidationErrors(); IEnumerable<string> SecurityErrors(); }
Demo - Validation
DRAWBACKS 38 • Does this decrease your application’s performance? • Yes, each additional line of code will do that… • Optimize your code • Buy better hardware…you can afford it
All Together Now
WE’VE SHOWN HOW AOP CAN… 40 • Decrease the complexity of audit logging • Help validate inputs throughout your application! • Centralize security code • Allow specialists to worry about implementation details! • Make your life easier! • Make your app safer! • Help you get a defense in depth strategy throughout your application!
NOW YOU CAN BE A (MORE) SECURE NINJA 41
Final Thoughts
#1 Security Problem 43
FINAL THOUGHTS 44 • Its time to stop being afraid of the vulnerabilities we’ve created • Have an adult conversation about how to move forward • Agree that everyone is doing their best. • And realize that moving forward in security calls on us to also look back at old code!
ALWAYS REMEMBER 45 Problems are nothing more than opportunities to improve
I’m Done @nerdybeardo https://www.nerdybeardo.com

Recommended

So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 

Recommended

So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Building a low cost hack lab
Building a low cost hack labBuilding a low cost hack lab
Building a low cost hack labJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 
Giant bags of mostly water
Giant bags of mostly waterGiant bags of mostly water
Giant bags of mostly waterroensel
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?Nestor Angulo de Ugarte
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
Migrating to WP Engine
Migrating to WP EngineMigrating to WP Engine
Migrating to WP Enginemesmonde
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Michele Butcher
 
Cloud computing dummies
Cloud computing dummiesCloud computing dummies
Cloud computing dummiesGillesBescond
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Private Cloud for Dummies
Private Cloud for DummiesPrivate Cloud for Dummies
Private Cloud for DummiesLiberteks
 
Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011QITCOM
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudEshed Gal-Or
 
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014Sean Chen
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Technology for national security
Technology for national securityTechnology for national security
Technology for national securityMUTHU LAKSHMI
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer SecurityNurkholish Halim
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 

More Related Content

What's hot

Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 
Giant bags of mostly water
Giant bags of mostly waterGiant bags of mostly water
Giant bags of mostly waterroensel
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
Migrating to WP Engine
Migrating to WP EngineMigrating to WP Engine
Migrating to WP Enginemesmonde
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Michele Butcher
 

What's hot (7)

Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
 
Giant bags of mostly water
Giant bags of mostly waterGiant bags of mostly water
Giant bags of mostly water
 
I've been hacked! So, now, what!?
I've been hacked! So, now, what!?I've been hacked! So, now, what!?
I've been hacked! So, now, what!?
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
 
Migrating to WP Engine
Migrating to WP EngineMigrating to WP Engine
Migrating to WP Engine
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!
 

Viewers also liked

Cloud computing dummies
Cloud computing dummiesCloud computing dummies
Cloud computing dummiesGillesBescond
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Private Cloud for Dummies
Private Cloud for DummiesPrivate Cloud for Dummies
Private Cloud for DummiesLiberteks
 
Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011QITCOM
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudEshed Gal-Or
 
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014Sean Chen
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Technology for national security
Technology for national securityTechnology for national security
Technology for national securityMUTHU LAKSHMI
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015Sean Chen
 
How to Deal With Disruptor (from Telco prespectives)
How to Deal With Disruptor (from Telco prespectives)How to Deal With Disruptor (from Telco prespectives)
How to Deal With Disruptor (from Telco prespectives)Saiful Hidayat
 
Components Of Executive Information System
Components Of Executive Information SystemComponents Of Executive Information System
Components Of Executive Information SystemTheju Paul
 
WE16 - Defense in Depth: Top 10 Critical Security Controls
WE16 - Defense in Depth: Top 10 Critical Security ControlsWE16 - Defense in Depth: Top 10 Critical Security Controls
WE16 - Defense in Depth: Top 10 Critical Security ControlsSociety of Women Engineers
 

Viewers also liked (20)

Cloud computing dummies
Cloud computing dummiesCloud computing dummies
Cloud computing dummies
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Private Cloud for Dummies
Private Cloud for DummiesPrivate Cloud for Dummies
Private Cloud for Dummies
 
Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011Mr. Tam Kin Lui's presentation at QITCOM 2011
Mr. Tam Kin Lui's presentation at QITCOM 2011
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
 
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
Empowering Customer Centric NFV - by Sean Chen @ Openstack Summit Paris 2014
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Technology for national security
Technology for national securityTechnology for national security
Technology for national security
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
OSI Layer Security
OSI Layer SecurityOSI Layer Security
OSI Layer Security
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015
Carrier Grade MANO for Service Agility - Presented at NFV World Congress 2015
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security Castle
 
How to Deal With Disruptor (from Telco prespectives)
How to Deal With Disruptor (from Telco prespectives)How to Deal With Disruptor (from Telco prespectives)
How to Deal With Disruptor (from Telco prespectives)
 
Components Of Executive Information System
Components Of Executive Information SystemComponents Of Executive Information System
Components Of Executive Information System
 
WE16 - Defense in Depth: Top 10 Critical Security Controls
WE16 - Defense in Depth: Top 10 Critical Security ControlsWE16 - Defense in Depth: Top 10 Critical Security Controls
WE16 - Defense in Depth: Top 10 Critical Security Controls
 

Similar to Defense In Depth With AOP

Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Secure Your Mobile Apps
Secure Your Mobile AppsSecure Your Mobile Apps
Secure Your Mobile Appsprimomh
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 

Similar to Defense In Depth With AOP (20)

Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
OWASP
OWASPOWASP
OWASP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Secure Your Mobile Apps
Secure Your Mobile AppsSecure Your Mobile Apps
Secure Your Mobile Apps
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 

Recently uploaded

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Defense In Depth With AOP

  • 1. DID with AOP Utilizing Aspect Oriented Programming for better application defense.
  • 2. DISCLAIMERS 2 Disclaimer One I make no guarantees about beard length. But a beard will always be attached to this sexy face! IN OTHER WORDS DON’T COME CRYING TO ME ON TWITTER AND/OR OTHER SOCIAL NETWORKS THAT YOU MAY OR MAY NOT FIND ME ON! Disclaimer Three I don’t curse in the presence of my family therefore I have brought my family with me so that I don’t have curse in front of you. Disclaimer Two I curse, frequently… sorry… Disclaimer Four Opinions are my own. Advice provided with no warranty. If you go back and implement an algorithm I told you to implement you do so at your own risk. IF YOURE READING AND/OR SEEING THIS BEWARE
  • 3. OH YEAH…. TWITTER… @NERDYBEARDO 3 https://www.nerdybeardo.com
  • 4. THE NERDIEST OF BEARDOS 4 ARCHITECT I create pretty diagrams so that business people can understand what you people are saying! WANNABE SECURITY DUDE I study cryptography and computer security for fun. Application security defender/practitioner since someone learned me about SQL injection! DEVELOPER Developer for most of my life, and only job I’ve ever had! HUSBAND/FATHER Against all odds I’ve managed to stay married and pass on my genes (God help us all!) WHO’S THIS JERK ANYWAY!??
  • 5. CREDENTIALS 5 TOOK 11 YEARS TO GET A DEGREE Yes! I finally got a degree! I LIED I HAVE ONE CERTIFICATION!! … Certified Scrum Master CERTIFICATIONS // TODO: get certified in something ALSO KNOWN AS Scum Master Dragon Master
  • 6. WHY ARE WE HERE? 6
  • 7. WHY ARE WE HERE? 7
  • 8. WHO ARE WE KIDDING… 8
  • 9. HOW TO APPROACH THIS TALK 9 • This is not the solution to all your security problems! • Security does not always look “logical” but it is! • Look for defense strategies. • Strategies are harder than implementation*! • For developers
  • 11. AS A MILITARY STRATEGY 11 SITUATION Facing a superior fighting force in both resources and numbers. FORMATION Deploy military units, fortifications and resources behind front line. As enemy advances through formations you inflict more and more casualties. Decreasing the effectiveness of the opposing army and drawing them into a war of attrition. GOAL Instead trying to stop the enemies advance, slow down their advance until you can contain the enemy.
  • 12. EXAMPLE – BATTLE OF CANNE 12
  • 13. EXAMPLE – BATTLE OF CANNE 13
  • 14. EXAMPLE – BATTLE OF CANNE 14
  • 15. EXAMPLE – HOME INVASION 15 MECHANISM Typically no more than a deadbolt RESULT Guys like Bill Sempf can pick that lock in a few minutes! (It may take someone like me a few hours) SECURITY Provides very little security. In fact most of the security is provided simply by the fact that the attacker is scared
  • 16. EXAMPLE – HOME INVASION DEFENSE IN DEPTH 16
  • 17. HOME INVASION – DFENSE IN DEPTH 17 MECHANISMS Provide security throughout house. • Intrusion detection systems (ornaments that make noise when stepped on) • Intrusion prevention systems (torch at the perimeter, heavy cans) • “Honey Pots” (unlocked windows) SECURITY • Provides security even when your neighbors aren’t around to prevent home invasion • Security even if a security failure occurs (Joe Pesci kicks door in)
  • 19. DEFENSE IN DEPTH – COMPUTER SECURITY 19 • Often confused with “Layered” security • Layered security is usually part of an overall Defense in Depth strategy. • Deploy resources behind the perimeter (front line) • Resources deployed throughout the network • Slow an attackers advance • Raise flags along the way to give the organization time to respond
  • 20. WHAT IF ONLY PERIMETER WAS SECURED? 20 • Cannot predict everything that can possibly happen! • Failures inevitably happen later in the process when new “things” are changed. • Cannot predict the internal state of your application will be at any one time. • Once perimeter security is penetrated all hell breaks loose!
  • 21. EXAMPLE – SQL INJECTION 21 Call Home… Now the fun begins SQL user found to have elevated privileges OS Command Executed through SQL Server (xp_cmdshell) Attacker begins Probing for SQL Injection SQL Injection Vulnerability deployed
  • 22. WEB APPLICATION SECURITY 22 57 % 40 % 19 % 11% url?name=alert(‘you’ve been pwned!’) Insufficient authentication and authorization around critical sections of the application. SELECT * FROM ORM WHERE 1=1; DROP NOPE; -- I THOUGHT I WAS SECURE Finger Printing HTTP Response Splitting Click Jacking etc… XSS INFO LEAK SQL INJECTION OTHER
  • 23. DEFENSE IN DEPTH – YOUR APPLICATION 23 • Authentication (Ah! Its you!) • Authorization (You may enter..) • Confidentiality (Don’t worry your stuff is safe) • Validation throughout your application (ARRG don’t try to do that!) • Detection of Tampering/Audit Logging (ooo.. You messed with me now you shall feel the wrath!)
  • 25. ASPECT ORIENTED PROGRAMMING 25 • Developed at Xerox • Deals with “cross cutting concerns” • AKA the copy and paste code you put throughout your codebase. • Examples: • Logging (by the way lots of people thinks this is all its useful for) • Authorization • Authentication • Transactions • General Security
  • 26. AOP – BASIC TERMINOLOGY 26 • Join Point: The “space” between a call from one object to another. • Point Cut: “Where” you will inject your “advice” • Advice: The code you want to inject • Aspect: The combination of a point cut and advice. • Boundary: Pre defined point cuts
  • 28. YOU’VE ALREADY BEEN USING AOP! (kinda) 28 • Created an IHttpModule • Used a module on Apache or IIS (e.g. ModSecurity) • Created an action filter in ASP.NET MVC • Used Data annotations for validation • Created an web service in .NET • Used forms based authentication • Used a membership or role provider configured through the web.config
  • 29. Audit Logging 29 • Detect when “bad things” are happening • Log to an audit log • Potentially integrate with SIEM
  • 30. Demo – Audit Logging
  • 31. METHOD INTERCEPTION 31 • AOP allows us to intercept a method and manipulate inputs and outputs • Can do things like encrypt output • Gives us the ability to abstract the security “implementation” to a security team. • But gives us control over when to apply it!
  • 33. VALIDATION 33 • Because we can intercept methods • We can also inspect parameters to our methods • We can automatically validate inputs to our methods
  • 34. N-TIER ARCHITECTURE 34 PRESENTATION LAYER ASP.NET MVC WEB API WCF SERVICES DOMAIN MODELS CONTRACTS (Interfaces) DATA MODELS/ POCO ENTITIESSERVICE LAYER CONTRACT LAYER DOMAIN/BUSINESS SERVICES APPLICATION SERVICES HELPER CLASSES DATA LAYER CONCRETE REPOSITORIES DATA CONNECTIVITY (CONTEXTS, FILE ACCESS etc )
  • 35. VALIDATION TAKE 1 35 • Attempted to build a “WAF” inside my application • Apply firewall rules via AOP • Interrogate every parameter to every method for every possible attack vector! • Bad idea!
  • 36. IF IValidate YouValidate 36 • Applied to the domain model. • Creates self validating objects! • Look for IValidate using AOP • Validate security of the object public interface IValidate { bool IsValid { get; } bool IsSecure { get; } IEnumerable<string> ValidationErrors(); IEnumerable<string> SecurityErrors(); }
  • 38. DRAWBACKS 38 • Does this decrease your application’s performance? • Yes, each additional line of code will do that… • Optimize your code • Buy better hardware…you can afford it
  • 40. WE’VE SHOWN HOW AOP CAN… 40 • Decrease the complexity of audit logging • Help validate inputs throughout your application! • Centralize security code • Allow specialists to worry about implementation details! • Make your life easier! • Make your app safer! • Help you get a defense in depth strategy throughout your application!
  • 41. NOW YOU CAN BE A (MORE) SECURE NINJA 41
  • 44. FINAL THOUGHTS 44 • Its time to stop being afraid of the vulnerabilities we’ve created • Have an adult conversation about how to move forward • Agree that everyone is doing their best. • And realize that moving forward in security calls on us to also look back at old code!
  • 45. ALWAYS REMEMBER 45 Problems are nothing more than opportunities to improve