Wouldn't it be wonderful to be better at security without having to actively think about it all the time? OWASP Top Ten and the risk of getting your system "pwned" can get the best developers to stick their head into the sand. Another often-forgotten aspect is those attacks that don't exploit your infrastructure. These attacks leave your databases and root-passwords uncompromised - because they attack your domain and business instead - under the radar, no alarms go off. Unfortunately, this is not science fiction, we will show case-studies of how it can happen. But, fear not. In this session we'll uncover the power of Domain Driven Security and similar concepts. We'll bring out the tools and mindset of high-quality development to put them at work to address security vulnerabilities. They're wonderfully powerful even though not originally designed specifically for security issues. You'll end up with systems where security is magnitudes higher. The passing-by hacker will move on to the next door down the street.
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Domain Driven Security @DevoxxMA
1. #DevoxxMA @DevoxxMA
Fighting Security Trolls with
High-Quality Mindsets?
-Your business is under attack, Domain Driven Security to the rescue
@danbjson, @DanielDeogun
Omegapoint
3. Key Take Aways
• Define each domain crafted for its purpose
• Don’t be generic, be specific
• Treat injection flaws as a modelling problem
• Define your domain primitives
• Draw your context maps
4. Attacks From A DDD
Perspective
Complex Technical
Complex
Domain
Simple Domain
Simple
Technical
7. Quantity made explicit -
a good start
public final class Quantity {
public final int value;
public Quantity(final int value) {
isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value);
this.value = value;
}
}
8. Ubiqutous Domain
Primitives
• Library of domain primitives
• Consolidates business rules
• Raises the floor
void buyBook(String, int) -> buyBook(ISBN, Quantity)
10. You define Your domain
• Bounded Context - bounded by what you need
• Strength not by “how wide” but by “how specific”
• Start simple
• Let it grow
11. Tests & Evil Tests
• TDD usually creates tests that open up
functionality
• Evil tests are tests that close down
functionality
[Cat]
12. Evil Test to Verify
Boundaries
@RunWith(Theories.class)
public class ValueObjectTest {
private interface IllegalValue {String value();}
@DataPoints
public static IllegalValue[] input() {
return new IllegalValue[]{
() -> null,
() -> "",
() -> " ",
() -> "A",
() -> "AA",
() -> " AA ",
() -> "1234567890",
() -> "<script>alert('42')</script>",
() -> "' or ‘1’=‘1 --"
};
}
@Rule
public ExpectedException exception = ExpectedException.none();
@Theory
public void should_be_illegal(final IllegalValue illegal) {
exception.expect(ValidationException.class);
new ValueObject(illegal.value());
}
13. Attacks From A DDD
Perspective
Complex Technical
Complex
Domain
Simple Domain
Simple
Technical
14. Injection Flaw
“Injection flaws, such as SQL, OS, and LDAP injection
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing data without proper
authorization.”
- OWASP top 10
15. The Classics -
Dynamic SQL String
SELECT … FROM Users
WHERE username = ’<?username>’
AND password = ’<?password>’
danbj catsarecute
SELECT … FROM Users
WHERE username = ’danbj’
AND password = ’catsarecute’
Warning! This is just an example. Do not store passwords in plain text.
Do not use relational databases for user management.
16. SQL Injection
SELECT … FROM Users
WHERE username = ’<?username>’
AND password = ’<?password>’
evilhaxxOr ’OR 1=1 --
SELECT … FROM Users
WHERE username = ’evilhaxxOr’
AND password = ’’OR 1=1 --’
SELECT … FROM Users
WHERE username = ’’OR 1=1 --’
AND password = ’doesnotmatteranymore’
Warning! This is just an example. Do not store passwords in plain text.
Do not use relational databases for user management.
17. What’s the problem?
and solution?
• ‘OR 1=1 -- is not a valid username
• This is implicit in the code
• Needs to be made explicit
• Write evil tests
18. What is well modelled
in SQL?
“Connection, Statement, and ResultSet are
different things. SQL, where-clause, literal,
and condition are just a bunch of strings.”
- JDBC specification
19. HTTP Response with Cookie
[https://www.owasp.org/index.php/HTTP_Response_Splitting]
String author = … /* request, database, user setting … */
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
…
<html><head><title>The real content</title> ...
20. HTTP Injection
"Wiley HackerrnHTTP/1.1 200 OKrn..."
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker
HTTP/1.1 200 OK
…
<html><head><title>Hacked content</title> …
...
<html><head><title>The real content</title> ...
[https://www.owasp.org/index.php/HTTP_Response_Splitting]
21. RFC 2616 HTTP/1.1
Ch 4 HTTP Message
HTTP-message = Request | Response ; HTTP/1.1 messages
generic-message = start-line
*(message-header CRLF)
CRLF
[ message-body ]
start-line = Request-Line | Status-Line
message-header = field-name ":" [ field-value ]
field-name = token
field-value = *( field-content | LWS )
field-content = <the OCTETs making up the field-value
and consisting of either *TEXT or combinations
of token, separators, and quoted-string>
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
22. Attacks From A DDD
Perspective
Complex Technical
Complex
Domain
Simple Domain
Simple
Technical
23. Cross Site Scripting (XSS)
“XSS flaws occur whenever an application takes untrusted
data and sends it to a web browser without proper
validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious
sites.”
- OWASP top 10
31. Protecting Sensitive Data
public final class SensitiveValue {
private final AtomicReference<String> value;
public SensitiveValue(final String value) {
this.value = new AtomicReference<>(validated(value));
}
private static String validated(final String value) {
//Validation of input value
return value;
}
public String value() {
return notNull(value.getAndSet(null), "Sensitive value has already been consumed");
}
@Override
public String toString() {
return "SensitiveValue value = *****";
}
32. Protecting Sensitive Data
public final class SensitiveValue implements Externalizable {
…
@Override
public boolean equals(final Object o) {
throw new UnsupportedOperationException("Not allowed on sensitive value");
}
@Override
public int hashCode() {
throw new UnsupportedOperationException("Not allowed on sensitive value");
}
@Override
public void writeExternal(final ObjectOutput out) throws IOException {
throw new UnsupportedOperationException("Not allowed on sensitive value");
}
@Override
public void readExternal(final ObjectInput in) throws IOException, ClassNotFoundException {
throw new UnsupportedOperationException("Not allowed on sensitive value");
}
}
33. Attacks From A DDD
Perspective
Complex Technical
Complex
Domain
Simple Domain
Simple
Technical
37. Making a change with
surgical precision
Payment
Policy
Payment
Confirm
Reject
Giro Bounce
Giro Confirm
Purchase
Bank
Insurance
38. What we would have done
Payment
Policy
Cash Payment
Confirm
Reject
Giro Bounce
Giro Confirm
Purchase
Bank
Insurance
Giro Payment
39. Micro-Service Hell
• We’re moving towards more and more
micro-services
• Implemented by separate teams
• How do we guarantee correct context
mappings?
40. Key Take Aways
• Define each domain crafted for its purpose
• Don’t be generic, be specific
• Treat injection flaws as a modelling problem
• Define your domain primitives
• Draw your context maps
43. Image References
• [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/
• [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/
• [Cat - https://flic.kr/p/5paD1a] by mao_lini under license https://creativecommons.org/licenses/by/2.0/