The document discusses do-it-yourself security audits for PHP applications. It recommends focusing audits on high risk areas by analyzing data flows for STRIDE risks like spoofing, tampering, and information disclosure. The document outlines tools and techniques for analyzing things like SQL injections, code executions, input validation, and cross-site scripting vulnerabilities. It recommends using input flow analysis or checking critical functions and output escaping to efficiently audit applications. While tools can assist, thorough manual code reviews are still needed to identify security issues.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Classification Model to Detect Malicious URL via Behaviour AnalysisEditor IJCATR
The challenging task in cyber space is to detect malicious URLs. The websites pointed by the malicious URLs injects malicious code into the client machine or steals the crucial information. As detecting a phishing URL is a challenging task, it is essential to enhance detection techniques against the emerging attacks. The most of the existing approaches are feature based and cannot detect dynamic attacks. Mostly the attacker uses the input form, active content and embeds @ symbol in URL for malicious attack. To detect this attack, a Behaviour based Malicious URL Finder (BMUF) algorithm is proposed. It analyzes the behaviour of the URL. The FSM based state transition diagram is used to model the URL behaviour into various states. The state transition from initial to final state is used for classification. This approach tests the genuine and malicious behavior of the URL based on the responses to the user. It accurately detects the nature of the URL.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Classification Model to Detect Malicious URL via Behaviour AnalysisEditor IJCATR
The challenging task in cyber space is to detect malicious URLs. The websites pointed by the malicious URLs injects malicious code into the client machine or steals the crucial information. As detecting a phishing URL is a challenging task, it is essential to enhance detection techniques against the emerging attacks. The most of the existing approaches are feature based and cannot detect dynamic attacks. Mostly the attacker uses the input form, active content and embeds @ symbol in URL for malicious attack. To detect this attack, a Behaviour based Malicious URL Finder (BMUF) algorithm is proposed. It analyzes the behaviour of the URL. The FSM based state transition diagram is used to model the URL behaviour into various states. The state transition from initial to final state is used for classification. This approach tests the genuine and malicious behavior of the URL based on the responses to the user. It accurately detects the nature of the URL.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
Phishing basics: include its history
Introduction: phishing in detail
Techniques: Techniques used like link manipulation,web forgery
New phish: spear phishing
reason behind phishing
latest case study
survey: on top hosting and victim countries
Examples: popular website and email examples
This is a presentation I have delivered to many organisations over the past 12 months on the subject of Spear Phishing. It shows how easily companies can fall victim to Spear Phishing attacks and the methods that criminals use to increase their chances of success.
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
The Difference between Pharming and PhishingMason Bird
A dedicated student with a wide range of academic interests, Mason Bird has changed his major from political science to cybersecurity. As a cybersecurity major, Mason Bird learns about such issues as phishing and pharming.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
Phishing basics: include its history
Introduction: phishing in detail
Techniques: Techniques used like link manipulation,web forgery
New phish: spear phishing
reason behind phishing
latest case study
survey: on top hosting and victim countries
Examples: popular website and email examples
This is a presentation I have delivered to many organisations over the past 12 months on the subject of Spear Phishing. It shows how easily companies can fall victim to Spear Phishing attacks and the methods that criminals use to increase their chances of success.
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
The Difference between Pharming and PhishingMason Bird
A dedicated student with a wide range of academic interests, Mason Bird has changed his major from political science to cybersecurity. As a cybersecurity major, Mason Bird learns about such issues as phishing and pharming.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
PowerPoint Presentation On Ethical Hacking in Brief (Simple)Shivam Sahu
PowerPoint Presentation On Ethical Hacking in Brief (Simple) Easy To Understand for all MCA BCA Btech Mtech and all Student who want a best powerpoint or seminar presentation on Ethical Hacking
Application and Website Security -- Fundamental EditionDaniel Owens
This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.
DC612 Day - Web Application Security: OWASP Top 10dc612
Title: Web Application Security: OWASP Top 10 by Brian Johnson
Abstract: In this session we will learn how to find, demonstrate how to exploit and discuss how to prevent the OWASP Top 10 Security Issues. We will also discuss how these issues are exploited in the real world. Students will have the opportunity to have hands on experience testing for and exploiting these issues.
Requirements: All attendees interested in participating in the labs will need to bring their own laptop. Laptops should have a wired Ethernet port in order to participate in labs.
CEH v11 will teach you the latest commercial-grade hacking tools. Highlights of what sets CEH v11 apart from others are given in this SlideShare.
To learn more about CEH v11, click here: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Now a days Cyber Crime is detected as Most Powerful Criminal Activities. If you have no awareness about Cyber Crime and Cyber Security then you might be victim of Any Cyber Crime.
Secure input and output handling - Mage Titans Manchester 2016Anna Völkl
How not to suck at data validation and output: Security is an important aspect of web application development. In this talk we’ll have a look on methods and ways Magento 1 and 2 provide to increase security.
If you attended the talk, please leave a review it here: https://joind.in/event/mage-titans-mcr
What's the problem with current organisations and complex,dynamic markets? What happens if they stay with static structures when the world moves faster?
Migriert man noch mit dem Spotify-Modell den Monolithen zu MicroServices oder bedient die serverlose Architektur schon das IoT? Wieviele Inverse Conway-Maneuvres braucht man eigentlich, um die papiergetriebene Marketing-Abteilung crossfunktional zum Security-neurotischen Betriebsteam zu bekommen? Gute Ratschläge für die zukünftigen Anforderungen und E-Commerce-Architekturen gibt es viele - aber welche ergibt im eigenen Fall Sinn? Ein Versuch, etwas Klarheit und Übersicht zu schaffen, die konkurrierenden Strategien und ihre Voraussetzungen und Rahmenbedingungen vorzustellen und Wege aufzuzeigen, die passende Architektur zu finden.
DevOps is mainstream - at least the tools, the automation and the metrics. But what happened to DevOps Culture? Does it still matter? If yes - how do we achieve it?
Von flachen Hierarchien zur Networked Company, von losen Netzwerken zur Holacracy, von Managern zur Bossless Organization: IT-Unternehmen diskutieren zurzeit viele Begriffe aus dem NewWork-Umfeld. Warum springt gerade unsere Branche auf diese Konzepte an? Dreht sich alles um den Arbeitsmarkt und die Generation Y, oder reagieren wir auf steigende Komplexität und Dynamik? Welche Folgen hat das auf das Unternehmen und unsere Arbeit? Ein Bericht aus Theorie und Praxis, von Hypes, offensichtlichen und nicht offensichtlichen Fehlern.
Jeder von uns kennt sie – die alten PHP-Projekte, die vor vielen Jahren entstanden und heute noch eine wichtige Funktion im Unternehmen erfüllen. Und es gibt ebenso viele Ratschläge, mit diesen Applikationen umzugehen: Tests und Continuous Deployment einführen. Kompatibel zu Symfony2 machen oder gleich dahin portieren – oder doch lieber Laravel? Domain-driven Design und Microservices nutzen, durch Node.js, Go, Rust ersetzen. Der Talk zeigt, welche Optionen man hat, welche Probleme sie jeweils mit sich bringen und wie man sich entscheiden kann.
Von der Governance-getriebenen Architektur der IT-Entscheider und Architecture Boards kamen wir zur emergenten, teambestimmten Architektur, und von dort über Strategien wie MicroServices zu Organisationsformen, die wir frei anhand unserer Wunscharchitektur definieren. Im Gegensatz zu den sich immer weiter beschleunigenden Architektur- und Technologietrends bewegen sich Team- und Abteilungsstrukturen mit ihrer eigenen Geschwindigkeit - und manchmal auch gar nicht. Ein Bericht aus der Praxis, vom Planen, Scheitern, Lernen und demütiger Architektur.
Die Diskussion über New Work findet meist entlang der Perks und der Autonomie der Kollegen statt. Aber lässt sich damit alleine Effizienz, Effektivität, Innovation und Adaptionsfähigkeit verbessern? Wie aligne ich die Firma, wenn die Kollegen und ihre Teams autonom arbeiten? Muss ich meine Organisationsform ändern? Scheitere ich an meiner Firmenkultur oder meinen Managern? Ein Bericht aus zehn Jahren Theorie und eigener Praxis.
Die großen Consultancies nennen es "Digitale Transformation", Marc Andreessen nennt es "Software eats the World". Eher aus Versehen haben wir IT-ler mit Unix und Internet etwas angestoßen, dass die ganze Wirtschaft - von Handel über Organisationsdesign bis zum Management - durch den Wolf dreht. Mit den Unternehmen schlägt das jetzt wieder auf die Systemadministratoren zurück, und stellt deren Rollen und Positionen in Frage. Im Gegensatz zu den Managern wird es aber vermutlich auch in Zukunft noch relevante Aufgaben für Administratoren geben.
Liquide Rollen statt fixer Positionen
- Warum klassische Positionen –inklusive Führungspositionen – Schaden anrichten
- Wie eine liquide Rollenverteilung in der Praxis aussieht
- Welche Vorrausetzungen braucht es, wie organisiert man Führung und Karriere
Seit 2009 ist DevOps ein wichtiges Thema auf den IT-Konferenzen, und inzwischen empfehlen auch die großen Beratungshäuser eine DevOps-Strategie. Doch während sich die Tools hoher Popularität erfreuen und Quasistandard wurden, sind Kultur und Organisationsdesign auf der Strecke geblieben. Die Tools alleine realisieren nur einen kleinen Teil des Benefits von DevOps, der große Vorteil entsteht erst mit der Integration von DevOps-Struktur, Organisation und Kultur im Unternehmen zu bekommen. Wie breche ich Silos jenseits von Dev und Ops auf? Wie schaffe ich gemeinsame Ziele über die Abteilungsgrenzen hinaus? Wie mache ich eine verlässliche Testphase bei einem Deploy am Tag? Welche Strukturen von heute stehen DevOps im Weg?
In der Softwareentwicklung sind wir schon lange agil, und die Operations-Leute arbeiten mit uns in DevOps-Manier zusammen. Eventuell ist das Product Development nach Lean Startup mit uns verzahnt, und mit viel Glück hat mein Chef eine Management 3.0-Schulung besucht. Trotzdem gibt es noch immer Politik im Unternehmen. Manche Kollegen übernehmen keine Verantwortung. Es gibt Teams oder Abteilungen, die nur eigene Ziele verfolgen und nicht mit anderen kooperieren. Und, ganz ehrlich, eigentlich sollten wir manche Dinge ganz anders machen, aber niemand kümmert sich so richtig darum. Aber wie repariere ich meine Firmenkultur? Wie sorge ich dafür, dass endlich alle mitarbeiten und Verantwortung übernehmen?
Wenn ITler Verträge machen steht der Schutz des eigenen Hinterteils im Vordergrund, und in Wahrheit versteht keiner die Konsequenzen des geschriebenen. Am Ende wird er ohnehin nichtig und durch einen Vergleich ersetzt, bei dem Anwälte das Bauchgefühl der Mandanten verhandeln, um nicht bei einem vollständig sachfremden Richter ein blaues Wunder zu erleben. Aber was hilft dann, wenn der Inhalt eines Projektes erst am Ende wirklich feststeht, und die meisten schwierigen Fragen sich erst im Verlauf ergeben?
Zappos uses Holacracy with elected team representatives instead of team leads. Netflix says "Hard work is not relevant" and discourages process adherence. Teams at Facebook have every freedom to do whatever they want as long as they have "impact" with their work. Things like management by objectives, strategic goals, matrix or line organisations are discarded.
Why are they doing that? What does that mean for your startup when it reaches the magic upper limit of "it just works" at 35-50 people? Is there a blueprint for a better way? And if you already ended up in a line organisation with management by objectives etc, what would be the benefit of change?
Keiner glaubt mehr an die Versprechen aus der IT, weder Druck, Motivation noch ein grösseres Team bringen auch nur etwas Performance. Es gibt viele Fehler in der Software und die Fluktuation geht nach oben. Wie fängt man so ein Projekt ein? Eine Geschichte von den offensichtlichen und nicht so offensichtlichen Dingen, die man dabei berücksichtigen muss - aus dem echten Leben erzählt.
Die modernisierte Fassung der "Management Brainfucks": Warum wehren sich Manager gegen agile Methoden, obwohl diese zu ihrem Vorteil wären? Warum behindern sie uns Entwickler bei der Arbeit mit Formalien, Blaming, naiven Lösungsvorschlägen und Kontrollillusion? Der Talk zeigt die Wurzeln dieses Missverständnisses und wie man sich darausbewegt.
Wer als Entwickler Führungskraft werden möchte - oder noch schlimmer - von anderen dazu erklärt wird, hat einen langen und schmerzhaften Weg vor sich. Und die Erfolgsquote, das belegen die eigenen Vorgesetzten jeden Tag, ist nicht hoch. Viele gute Pläne und logische Schlussfolgerungen funktionieren in der Praxis nicht mehr, und die kollegiale Unterstützung wird durch Politik ersetzt. Wir erzählen nicht nur unsere Geschichte, sondern auch darüber was heute als gute Führung gilt.
Wer als Entwickler Führungskraft werden möchte - oder noch schlimmer - von anderen zu erklärt wird, hat einen langen und schmerzhaften Weg vor sich. Und die Erfolgsquote, das belegen die eigenen Vorgesetzten jeden Tag, ist nicht hoch. Viele gute Pläne und logische Schlussfolgerungen funktionieren in der Praxis nicht mehr, und die kollegiale Unterstützung wird durch Politik ersetzt. Die schönsten instinktiven Fehler, die besten Katastrophen nach Lehrbuch und Methode werden von jemanden vorgestellt, der sie schon alle gemacht hat.
iele Applikationen sind über Jahre erfolgreich gewesen und haben jede Änderung mitgemacht - und sind in Folge unwartbar geworden, und entsprechen längst nicht mehr aktuellen Standards. Doch um weiter am Markt zu bestehen muss man schnell agieren können, also braucht es einen Rewrite auf ein modernes Framework. Aber Rewrites schlagen häufig durch jede Deadline oder ganz fehl, und während des Rewrites muss man auf die Konkurrenz reagieren können. Die Lösung ist ein Continuous Rewrite, der mit der alten Lösung beginnt und bei kontinuierlicher Nutzung mit der neuen Lösung endet. Wir stellen Methoden und Praxiserfahrungen vor.
IT und Management geht wenig bis gar nicht. Und schuld ist Komplexität. Denn IT lebt Komplexität, und klassisches, tayloristisch geprägtes Management weiss nicht, wie es damit umgehen soll. Also wird man sich nicht einig, und die offizielle Welt löst sich völlig von der inoffiziellen, die die Arbeit macht. Warum ist das so?
3. The bald guy in the front
Johann-Peter Hartmann
Full-time PHP Developer since 3.0.4
loves LAMP the great people, it‘s fun.
Security is just fun
CTO and Founder of Mayflower GmbH
CEO of SektionEins GmbH
14. Why do it, anyway?
Best way: verify the whole application
Second best: audit the whole source code
Average: 2000 LOC/Day
More than one year for a 500.000 LOC application.
Marco just told me that he got a 3.000.000 LOC
application
17. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
18. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
19. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
20. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
21. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
Denial of service (Logout after 3 failed logins)
22. Check Data Flows for
STRIDE
Check every data exchange point for
Spoofing ( Fake Referer, Stolen Session Ids)
Tampering (XSS, CSRF)
Repudiation (identy theft, identy coverage)
Information Disclosure (SQL-Injections, XSS, ...)
Denial of service (Logout after 3 failed logins)
Elevation of Privileges (Code executions ...)
32. Where start auditing?
risk = chance of attack * damage potential
High risk example: SQL-Injection in a Login Form
33.
34. Tools needed for manual
Source Code Audits
Some people say: you just need „grep“
A decent Code Browser with
syntax highlightening
good code navigation
Dynamic Code Analysis: Debugger with
Step Thru
Variable Introspection, Conditional Breakpoints
35. Critical Function Analysis
Some functions are more dangerous than other
methods.
Every exploit class got its own set of functions
think of: SQL Injections, Code Executions
So just search for every critical function and check if
the parameters are escaped correctly
36. SQL Injections
Functions: mysql_query, mysqli_query, pdo::query, ...
Your own database abstraction layer
What to check
Are the parameters correctly escaped?
Even numbers, sort orders and directions?
Table and Column names?
look out for proper escaping of values, column names
and sort orders etc
37. Code Executions
Functions:
eval(), create_function(), preg_replace with modifier e,
usort, uasort, *_callback functions
Written and included code:
Templates in Smarty
Cache data
Look out for: (external) variables in php-code
Strings can contain code executions! “{${phpinfo}}“
39. Shell Executions
Functions:
shell_exec (BackTicks!), exec(), system(), popen(),
passthru()
mail()!
binary name and arguments need to be escaped
Check for existance of escape_shell_cmd and
escape_shell_args
40. Information leakage
Functions: fopen(), fread(), file(), ...
Vulnerabilities:
read local files containing database passwords
read intranet URLs
read local server configuration files
Check for injection of „/../../etc/passwd%00“
41. Input Flow Analysis
Check the way that variables take inside the application
Faster than a critical function analysis
PHP accepts every external variable by default
The variables are from an untrusted environment
As soon PHP got a taint mode, PHP does help you a
lot
42. Input Flow Analysis
$_GET, $_POST, $_COOKIE
some $_SERVER variables! Don‘t trust $HTTP_HOST.
register_globals makes it hard to follow
Check if external variables or results of them are used
in critical functions
43. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
44. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
45. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
46. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
47. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
JavaScript- and Stylesheet-Strings: addcslashes()
48. XSS: Output Escaping
check
Check for every place where data is delivered to the
user
There are 5 different versions of escaping for XSS
Text: htmlentities()
Attributes: htmlspecialchars()
URLs: urlencode()
JavaScript- and Stylesheet-Strings: addcslashes()
HTML: Whitelist-Filters like htmlpurifier
49. Tools for Static Analysis
RATS: http://www.fortifysoftware.com/security-
resources/rats.jsp
finds simple bugs like TOCTOU
PHP-SAT http://www.program-transformation.org/
PHP/PhpSat
got a freely definable set of rules for security
checks
Armorize CodeSecure http://www.armorize.com/
HyperSource, Fortify
50. Other tools
XSSS for automated XSS search
http://www.sven.de/XSSS
A lot of other web security scanners
SPIDynamics WebInspect
NStalker
Chorizo does PHP gray box scanning
.. a lot more
51. Summary
Even if you have time to do a full code review use risk
analysis to focus
Code review:
Use critical function analysis and output check or input
flow analysis
Tools can help you, but they don‘t do your job
53. Questions?
Contact me at:
johann-peter.hartmann@sektioneins.de
Editor's Notes
\n
Formally i am the boss of stefan esser. I am not sure if he knows it, though. \n\n
\n
\n
\n
\n
\n
A database is 40.000 Bugs. Any database.\n
Message: The number one target is information theft. \n
Don‘t care about XSS, care about SQL injection first. \n
That‘s something that banking or insurance companies do. Security Experts for real world security do it, and so does the microsoft security development lifecycle.\n
So in six years time stefan would be able to tell marco „Look, there has been a bug“\n
What to audit: are there money issues? privacy issues? are children involved? sexual preferences? \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
Actually that‘s a term microsoft coined \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
Find easy to find vulnerabilities, \nidentify parts of code involved in highly critical workflows\n
White box audits\n
Basically you need an IDE for hacking! Like Zend IDE, PDT\n
\n
Parameter binding does just help 80% for sql injection!\n