This document promotes secure software development practices and advertises an upcoming security conference. It discusses the speaker's background in security research and hacking competitions. It then outlines some common security issues like weak passwords, SQL injection, and open redirects. To demonstrate secure development, it proposes a hands-on exercise of attacking, fixing, and rewriting the codebase of a sample legacy online spaceflight booking application. The document emphasizes the importance of considering security throughout the entire software development lifecycle from design to deployment. It invites the reader to join the security conference conversation.

1. Join the conversation #DevSecCon
BY Gábor Pék, Co-founder and CTO at Avatao
Hands-on secure software
development from design to
deployment

2. About me
Intel virtualization hacks (e.g., XSA-59)
Reserarch of advanced targeted attacks (Duqu, Flame, miniDuke)
Founder of !SpamAndHex (3x DEFCON CTF Finalist team)
PhD in virtualization and malware security (CrySyS Lab, BME)
Co-founder and CTO at Avatao (a CrySyS Lab Spin-off)

3. CrySyS Lab analyses
high-profile targeted
attacks

4. !SpamAndHex
3x DEFCON CTF Finalists

5. Security is missing from
education

6. Practical security at
universities?

7. Apps failing security checksApps failing security checksApps failing security checksApps failing security checks

8. Barnaby Jack pacemaker hack

9. Autonomous cars

10. Hacking in the media

11. Need good developers,
not only hackers

12. The real learning: take it apart…Real learning:
let them take it apart…

13. …but then you have to build something better
… but then you have to build
something better

14. How to do it in practice?
”Bug parade is only
half of the problem”
- Gary McGraw

15. Software security must cover
each phase of SDLC!
Source -

16. The story
The story

17. Let’s do something practical
Attack, fix and rewrite the legacy system of a
spaceline company.
Legacy New

18. Try’n’Err Spaceline
Legacy New

19. https://avatao.com/
events/devseccon2017

20. Check the Platform

21. Design

22. Bad DB design
Feature - Store basic user information
Vulnerability - No UNIQUE constraint on username
Fix legacy - Use of constraints
Bad DB design

23. Implementation

24. Weak password policy
Feature - Handle user passwords
Vulnerability - Passwords are stored in plaintext
Fix legacy - Use strong hash functions
Misc - Check password strength
– Regex
– Zxcvbn from Dropbox
Weak Password Policy

25. Vulnerability - Authentication can be bypassed by
SQL injection
Feature - Login
Fix legacy - Prepared statements
Write new – Use hibernate
Authentication Bypass

26. Vulnerability - Accessing privileged resources
Feature - Flight and user information
Fix legacy - Check access control by user ID
Write new - Use Spring to check ID and role
Insecure Direct Object Reference

27. Vulnerability - Evil REs stuck on crafted inputs.
– (a+)+
–([a-zA-Z]+)*
–(a|aa)+
–(a|a?)+
–(.*a){x} | for x > 10
Feaure - Registration (email RE in Spring)
Source - OWASP
Regular Expression DoS

28. Open Redirect
Vulnerability - Open Redirect
Feaure - Login
Attack new - Craft malicious URLs to bypass
unvalidated redirects.
Open Redirect

29. Operation
Source – The Phoenix Project

30. Tomcat listens on localhost:8005 by default to allow
for shutdown.
Task - Say ”SHUTDOWN”.
The Final Countdown

31. Takeaway

32. Do your homework, first design

33. Frameworks
No framework is a silver bullet against bad code
Examples demonstrated
–ReDOS,
–Open Redirect in Spring
Frameworks

34. Rubber duck debugging

37. FrameworksAutomated tests

38. Software security should go from
design to deployment

39. Join the conversation #DevSecCon
Questions?
gabor.pek@avatao.com