SlideShare a Scribd company logo

Domain Driven Security @DevoxxMA

D
ddeogun

Wouldn't it be wonderful to be better at security without having to actively think about it all the time? OWASP Top Ten and the risk of getting your system "pwned" can get the best developers to stick their head into the sand. Another often-forgotten aspect is those attacks that don't exploit your infrastructure. These attacks leave your databases and root-passwords uncompromised - because they attack your domain and business instead - under the radar, no alarms go off. Unfortunately, this is not science fiction, we will show case-studies of how it can happen. But, fear not. In this session we'll uncover the power of Domain Driven Security and similar concepts. We'll bring out the tools and mindset of high-quality development to put them at work to address security vulnerabilities. They're wonderfully powerful even though not originally designed specifically for security issues. You'll end up with systems where security is magnitudes higher. The passing-by hacker will move on to the next door down the street.

Software
1 of 43
Download to read offline
#DevoxxMA @DevoxxMA Fighting Security Trolls with High-Quality Mindsets? -Your business is under attack, Domain Driven Security to the rescue @danbjson, @DanielDeogun Omegapoint
About Us… Umeå Malmö Göteborg Falun New York Stockholm Daniel Deogun Dan Bergh Johnsson Omegapoint
Key Take Aways • Define each domain crafted for its purpose • Don’t be generic, be specific • Treat injection flaws as a modelling problem • Define your domain primitives • Draw your context maps
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Purchasing “Unencyclopedia” [Encyclopedia]
analysis -1 : Integer -1 : Quantity OrderLine {ISBN, Quantity}
Quantity made explicit - a good start public final class Quantity { public final int value; public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; } }
Ubiqutous Domain Primitives • Library of domain primitives • Consolidates business rules • Raises the floor void buyBook(String, int) -> buyBook(ISBN, Quantity)
String -> EmailAddress • RFC 5322 3.4 Address Specification (RFC 821, RFC 2821) • !#$%&'*+-/=?^_`{|}~@omegapoint.se • ”Åsa Sjölander”@omegapoint.se • Regexp : (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?: (?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r ]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) /… 6424 chars
You define Your domain • Bounded Context - bounded by what you need • Strength not by “how wide” but by “how specific” • Start simple • Let it grow
Tests & Evil Tests • TDD usually creates tests that open up functionality • Evil tests are tests that close down functionality [Cat]
Evil Test to Verify Boundaries @RunWith(Theories.class) public class ValueObjectTest { private interface IllegalValue {String value();} @DataPoints public static IllegalValue[] input() { return new IllegalValue[]{ () -> null, () -> "", () -> " ", () -> "A", () -> "AA", () -> " AA ", () -> "1234567890", () -> "<script>alert('42')</script>", () -> "' or ‘1’=‘1 --" }; } @Rule public ExpectedException exception = ExpectedException.none(); @Theory public void should_be_illegal(final IllegalValue illegal) { exception.expect(ValidationException.class); new ValueObject(illegal.value()); }
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Injection Flaw “Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.” - OWASP top 10
The Classics - Dynamic SQL String SELECT … FROM Users WHERE username = ’<?username>’ AND password = ’<?password>’ danbj catsarecute SELECT … FROM Users WHERE username = ’danbj’ AND password = ’catsarecute’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
SQL Injection SELECT … FROM Users 
 WHERE username = ’<?username>’ AND password = ’<?password>’ evilhaxxOr ’OR 1=1 -- SELECT … FROM Users WHERE username = ’evilhaxxOr’ AND password = ’’OR 1=1 --’ SELECT … FROM Users 
 WHERE username = ’’OR 1=1 --’ 
 AND password = ’doesnotmatteranymore’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
What’s the problem? and solution? • ‘OR 1=1 -- is not a valid username • This is implicit in the code • Needs to be made explicit • Write evil tests
What is well modelled in SQL? “Connection, Statement, and ResultSet are different things. SQL, where-clause, literal, and condition are just a bunch of strings.” - JDBC specification
HTTP Response with Cookie [https://www.owasp.org/index.php/HTTP_Response_Splitting] String author = … /* request, database, user setting … */ ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith … <html><head><title>The real content</title> ...
HTTP Injection "Wiley HackerrnHTTP/1.1 200 OKrn..." HTTP/1.1 200 OK ... Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK … <html><head><title>Hacked content</title> … ... <html><head><title>The real content</title> ... [https://www.owasp.org/index.php/HTTP_Response_Splitting]
RFC 2616 HTTP/1.1 Ch 4 HTTP Message HTTP-message = Request | Response ; HTTP/1.1 messages generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line message-header = field-name ":" [ field-value ] field-name = token field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Cross Site Scripting (XSS) “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” - OWASP top 10
Cross Site Scripting (XSS) <div>News flash: <?headline></div> Aliens <script>alert(’42’)</script>invade Earth! <div>Latest news: Aliens <script>alert(’42’)</script>invade Earth!</div>
Domain Perspective Text Text Text
Domain Perspective Text Text Text Code
Fix the Broken Mapping <script> <script> Text Code &lt;script&gt;
SQL Injection vs XSS
Code SQL Injection vs XSS Code
2nd order injection Web Srv DB Log Log Adm
Protecting Sensitive Data public final class SensitiveValue { private final AtomicReference<String> value; public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); } private static String validated(final String value) { //Validation of input value return value; } public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); } @Override public String toString() { return "SensitiveValue value = *****"; }
Protecting Sensitive Data public final class SensitiveValue implements Externalizable { … @Override public boolean equals(final Object o) { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public int hashCode() { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public void writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public void readExternal(final ObjectInput in) throws IOException, ClassNotFoundException { throw new UnsupportedOperationException("Not allowed on sensitive value"); } }
Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
Complex Domain Attack Order Finance Storage Shipping -1 -1 -1
Splitting the Monolith Payment Policy
Payment Splitting the Monolith Payment Policy InsurancePurchase
Making a change with surgical precision Payment Policy Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance
What we would have done Payment Policy Cash Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance Giro Payment
Micro-Service Hell • We’re moving towards more and more micro-services • Implemented by separate teams • How do we guarantee correct context mappings?
Key Take Aways • Define each domain crafted for its purpose • Don’t be generic, be specific • Treat injection flaws as a modelling problem • Define your domain primitives • Draw your context maps
Q & A [Questions]
Thanks @danbjson, @DanielDeogun
Image References • [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/ • [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/ • [Cat - https://flic.kr/p/5paD1a] by mao_lini under license https://creativecommons.org/licenses/by/2.0/

Recommended

Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016Omegapoint Academy
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?Omegapoint Academy
 
Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mindOmegapoint Academy
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsOmegapoint Academy
 
Domain driven security_java_zone2016
Domain driven security_java_zone2016Domain driven security_java_zone2016
Domain driven security_java_zone2016Omegapoint Academy
 
Getting started with Elasticsearch and .NET
Getting started with Elasticsearch and .NETGetting started with Elasticsearch and .NET
Getting started with Elasticsearch and .NETTomas Jansson
 
JDBC - JPA - Spring Data
JDBC - JPA - Spring DataJDBC - JPA - Spring Data
JDBC - JPA - Spring DataArturs Drozdovs
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101Munish Gupta
 

Recommended

Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016Domain Driven Security Jfokus 2016
Domain Driven Security Jfokus 2016Omegapoint Academy
 
Designing software with security in mind?
Designing software with security in mind?Designing software with security in mind?
Designing software with security in mind?Omegapoint Academy
 
Designing software with security in mind
Designing software with security in mindDesigning software with security in mind
Designing software with security in mindOmegapoint Academy
 
Arm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsArm yourself with Domain Driven Security. It's time to slay some security trolls
Arm yourself with Domain Driven Security. It's time to slay some security trollsOmegapoint Academy
 
Domain driven security_java_zone2016
Domain driven security_java_zone2016Domain driven security_java_zone2016
Domain driven security_java_zone2016Omegapoint Academy
 
Getting started with Elasticsearch and .NET
Getting started with Elasticsearch and .NETGetting started with Elasticsearch and .NET
Getting started with Elasticsearch and .NETTomas Jansson
 
JDBC - JPA - Spring Data
JDBC - JPA - Spring DataJDBC - JPA - Spring Data
JDBC - JPA - Spring DataArturs Drozdovs
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101Munish Gupta
 
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source CodeUsing Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source CodeNicolas Bettenburg
 
Using xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing ToolkitUsing xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing ToolkitChris Oldwood
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Rabble .
 
Devoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDevoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDaniel Sawano
 
greenDAO
greenDAOgreenDAO
greenDAOMu Chun Wang
 
Fast querying indexing for performance (4)
Fast querying indexing for performance (4)Fast querying indexing for performance (4)
Fast querying indexing for performance (4)MongoDB
 
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection VulnerabilitiesSecurity Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection VulnerabilitiesLionel Briand
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Easy data-with-spring-data-jpa
Easy data-with-spring-data-jpaEasy data-with-spring-data-jpa
Easy data-with-spring-data-jpaStaples
 
Green dao
Green daoGreen dao
Green daoDroidcon Berlin
 
JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5Payara
 
Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)MongoDB
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Developing application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDDDeveloping application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDDMichele Capra
 
Http4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web StackHttp4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web StackGaryCoady
 
2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh2nd-Order-SQLi-Josh
2nd-Order-SQLi-JoshJoshua S. Clark, CISSP
 
Apache Beam de A à Z
Apache Beam de A à Z Apache Beam de A à Z
Apache Beam de A à ZParis Data Engineers !
 
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMEREVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMERAndrey Karpov
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Hermann Hueck
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 
Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)McDoogle
 
Benutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool ShopBenutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool ShopBalint Kocsis
 

More Related Content

What's hot

Using Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source CodeUsing Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source CodeNicolas Bettenburg
 
Using xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing ToolkitUsing xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing ToolkitChris Oldwood
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Rabble .
 
Devoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDevoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDaniel Sawano
 
Fast querying indexing for performance (4)
Fast querying indexing for performance (4)Fast querying indexing for performance (4)
Fast querying indexing for performance (4)MongoDB
 
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection VulnerabilitiesSecurity Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection VulnerabilitiesLionel Briand
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Easy data-with-spring-data-jpa
Easy data-with-spring-data-jpaEasy data-with-spring-data-jpa
Easy data-with-spring-data-jpaStaples
 
JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5Payara
 
Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)MongoDB
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Developing application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDDDeveloping application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDDMichele Capra
 
Http4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web StackHttp4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web StackGaryCoady
 
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMEREVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMERAndrey Karpov
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Hermann Hueck
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Ryosuke Uchitate
 

What's hot (20)

Using Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source CodeUsing Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
Using Fuzzy Code Search to Link Code Fragments in Discussions to Source Code
 
Using xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing ToolkitUsing xUnit as a Swiss-Aarmy Testing Toolkit
Using xUnit as a Swiss-Aarmy Testing Toolkit
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007
 
Devoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure SoftwareDevoxx PL 2017 - Cracking the Code to Secure Software
Devoxx PL 2017 - Cracking the Code to Secure Software
 
greenDAO
greenDAOgreenDAO
greenDAO
 
Fast querying indexing for performance (4)
Fast querying indexing for performance (4)Fast querying indexing for performance (4)
Fast querying indexing for performance (4)
 
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection VulnerabilitiesSecurity Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Easy data-with-spring-data-jpa
Easy data-with-spring-data-jpaEasy data-with-spring-data-jpa
Easy data-with-spring-data-jpa
 
Green dao
Green daoGreen dao
Green dao
 
JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5JavaEE 8 on a diet with Payara Micro 5
JavaEE 8 on a diet with Payara Micro 5
 
Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)Indexing and Query Optimizer (Mongo Austin)
Indexing and Query Optimizer (Mongo Austin)
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
Developing application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDDDeveloping application for Windows Phone 7 in TDD
Developing application for Windows Phone 7 in TDD
 
Http4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web StackHttp4s, Doobie and Circe: The Functional Web Stack
Http4s, Doobie and Circe: The Functional Web Stack
 
2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh
 
Apache Beam de A à Z
Apache Beam de A à Z Apache Beam de A à Z
Apache Beam de A à Z
 
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMEREVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
 
Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門Form認証で学ぶSpring Security入門
Form認証で学ぶSpring Security入門
 

Viewers also liked

Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)McDoogle
 
Benutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool ShopBenutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool ShopBalint Kocsis
 
проблеми забруднення
проблеми забрудненняпроблеми забруднення
проблеми забруднення15081992LENA
 
Benutzerhandbuch metal frame_pool - Intex Pool Shop
Benutzerhandbuch metal frame_pool - Intex Pool ShopBenutzerhandbuch metal frame_pool - Intex Pool Shop
Benutzerhandbuch metal frame_pool - Intex Pool ShopBalint Kocsis
 
Arrieche luis a1
Arrieche luis a1Arrieche luis a1
Arrieche luis a1Obelixs
 
Construyendo comunidad
Construyendo comunidadConstruyendo comunidad
Construyendo comunidadnarz2013
 

Viewers also liked (9)

Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)Duval's artisticanatomy(1852)
Duval's artisticanatomy(1852)
 
Benutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool ShopBenutzerhandbuch leiter 122cm - Intex Pool Shop
Benutzerhandbuch leiter 122cm - Intex Pool Shop
 
Ecuaciones diferenciales
Ecuaciones diferencialesEcuaciones diferenciales
Ecuaciones diferenciales
 
Resume
ResumeResume
Resume
 
Skills to employment
Skills to employmentSkills to employment
Skills to employment
 
проблеми забруднення
проблеми забрудненняпроблеми забруднення
проблеми забруднення
 
Benutzerhandbuch metal frame_pool - Intex Pool Shop
Benutzerhandbuch metal frame_pool - Intex Pool ShopBenutzerhandbuch metal frame_pool - Intex Pool Shop
Benutzerhandbuch metal frame_pool - Intex Pool Shop
 
Arrieche luis a1
Arrieche luis a1Arrieche luis a1
Arrieche luis a1
 
Construyendo comunidad
Construyendo comunidadConstruyendo comunidad
Construyendo comunidad
 

Similar to Domain Driven Security @DevoxxMA

Teste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityTeste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityWashington Botelho
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Testing in android
Testing in androidTesting in android
Testing in androidjtrindade
 
Painless Persistence with Realm
Painless Persistence with RealmPainless Persistence with Realm
Painless Persistence with RealmChristian Melchior
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Reactive programming on Android
Reactive programming on AndroidReactive programming on Android
Reactive programming on AndroidTomáš Kypta
 
Scala in practice
Scala in practiceScala in practice
Scala in practicepatforna
 
Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Michelangelo van Dam
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018artgillespie
 
The uniform interface is 42
The uniform interface is 42The uniform interface is 42
The uniform interface is 42Yevhen Bobrov
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
.NET Database Toolkit
.NET Database Toolkit.NET Database Toolkit
.NET Database Toolkitwlscaudill
 
PostgreSQL's Secret NoSQL Superpowers
PostgreSQL's Secret NoSQL SuperpowersPostgreSQL's Secret NoSQL Superpowers
PostgreSQL's Secret NoSQL SuperpowersAmanda Gilmore
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 

Similar to Domain Driven Security @DevoxxMA (20)

Teste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrityTeste de Integração com DbUnit e jIntegrity
Teste de Integração com DbUnit e jIntegrity
 
Secure code
Secure codeSecure code
Secure code
 
Testing in android
Testing in androidTesting in android
Testing in android
 
Painless Persistence with Realm
Painless Persistence with RealmPainless Persistence with Realm
Painless Persistence with Realm
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Reactive programming on Android
Reactive programming on AndroidReactive programming on Android
Reactive programming on Android
 
Scala in practice
Scala in practiceScala in practice
Scala in practice
 
Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010Advanced Php - Macq Electronique 2010
Advanced Php - Macq Electronique 2010
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Dartprogramming
DartprogrammingDartprogramming
Dartprogramming
 
XQuery Rocks
XQuery RocksXQuery Rocks
XQuery Rocks
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
PostgreSQL Open SV 2018
PostgreSQL Open SV 2018PostgreSQL Open SV 2018
PostgreSQL Open SV 2018
 
The uniform interface is 42
The uniform interface is 42The uniform interface is 42
The uniform interface is 42
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
.NET Database Toolkit
.NET Database Toolkit.NET Database Toolkit
.NET Database Toolkit
 
PostgreSQL's Secret NoSQL Superpowers
PostgreSQL's Secret NoSQL SuperpowersPostgreSQL's Secret NoSQL Superpowers
PostgreSQL's Secret NoSQL Superpowers
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Domain Driven Security @DevoxxMA

  • 1. #DevoxxMA @DevoxxMA Fighting Security Trolls with High-Quality Mindsets? -Your business is under attack, Domain Driven Security to the rescue @danbjson, @DanielDeogun Omegapoint
  • 3. Key Take Aways • Define each domain crafted for its purpose • Don’t be generic, be specific • Treat injection flaws as a modelling problem • Define your domain primitives • Draw your context maps
  • 4. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 6. analysis -1 : Integer -1 : Quantity OrderLine {ISBN, Quantity}
  • 7. Quantity made explicit - a good start public final class Quantity { public final int value; public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; } }
  • 8. Ubiqutous Domain Primitives • Library of domain primitives • Consolidates business rules • Raises the floor void buyBook(String, int) -> buyBook(ISBN, Quantity)
  • 9. String -> EmailAddress • RFC 5322 3.4 Address Specification (RFC 821, RFC 2821) • !#$%&'*+-/=?^_`{|}~@omegapoint.se • ”Åsa Sjölander”@omegapoint.se • Regexp : (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?: (?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?: rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r ]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) /… 6424 chars
  • 10. You define Your domain • Bounded Context - bounded by what you need • Strength not by “how wide” but by “how specific” • Start simple • Let it grow
  • 11. Tests & Evil Tests • TDD usually creates tests that open up functionality • Evil tests are tests that close down functionality [Cat]
  • 12. Evil Test to Verify Boundaries @RunWith(Theories.class) public class ValueObjectTest { private interface IllegalValue {String value();} @DataPoints public static IllegalValue[] input() { return new IllegalValue[]{ () -> null, () -> "", () -> " ", () -> "A", () -> "AA", () -> " AA ", () -> "1234567890", () -> "<script>alert('42')</script>", () -> "' or ‘1’=‘1 --" }; } @Rule public ExpectedException exception = ExpectedException.none(); @Theory public void should_be_illegal(final IllegalValue illegal) { exception.expect(ValidationException.class); new ValueObject(illegal.value()); }
  • 13. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 14. Injection Flaw “Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.” - OWASP top 10
  • 15. The Classics - Dynamic SQL String SELECT … FROM Users WHERE username = ’<?username>’ AND password = ’<?password>’ danbj catsarecute SELECT … FROM Users WHERE username = ’danbj’ AND password = ’catsarecute’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
  • 16. SQL Injection SELECT … FROM Users 
 WHERE username = ’<?username>’ AND password = ’<?password>’ evilhaxxOr ’OR 1=1 -- SELECT … FROM Users WHERE username = ’evilhaxxOr’ AND password = ’’OR 1=1 --’ SELECT … FROM Users 
 WHERE username = ’’OR 1=1 --’ 
 AND password = ’doesnotmatteranymore’ Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
  • 17. What’s the problem? and solution? • ‘OR 1=1 -- is not a valid username • This is implicit in the code • Needs to be made explicit • Write evil tests
  • 18. What is well modelled in SQL? “Connection, Statement, and ResultSet are different things. SQL, where-clause, literal, and condition are just a bunch of strings.” - JDBC specification
  • 19. HTTP Response with Cookie [https://www.owasp.org/index.php/HTTP_Response_Splitting] String author = … /* request, database, user setting … */ ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith … <html><head><title>The real content</title> ...
  • 20. HTTP Injection "Wiley HackerrnHTTP/1.1 200 OKrn..." HTTP/1.1 200 OK ... Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK … <html><head><title>Hacked content</title> … ... <html><head><title>The real content</title> ... [https://www.owasp.org/index.php/HTTP_Response_Splitting]
  • 21. RFC 2616 HTTP/1.1 Ch 4 HTTP Message HTTP-message = Request | Response ; HTTP/1.1 messages generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line message-header = field-name ":" [ field-value ] field-name = token field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
  • 22. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 23. Cross Site Scripting (XSS) “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.” - OWASP top 10
  • 24. Cross Site Scripting (XSS) <div>News flash: <?headline></div> Aliens <script>alert(’42’)</script>invade Earth! <div>Latest news: Aliens <script>alert(’42’)</script>invade Earth!</div>
  • 27. Fix the Broken Mapping <script> <script> Text Code &lt;script&gt;
  • 31. Protecting Sensitive Data public final class SensitiveValue { private final AtomicReference<String> value; public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); } private static String validated(final String value) { //Validation of input value return value; } public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); } @Override public String toString() { return "SensitiveValue value = *****"; }
  • 32. Protecting Sensitive Data public final class SensitiveValue implements Externalizable { … @Override public boolean equals(final Object o) { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public int hashCode() { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public void writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); } @Override public void readExternal(final ObjectInput in) throws IOException, ClassNotFoundException { throw new UnsupportedOperationException("Not allowed on sensitive value"); } }
  • 33. Attacks From A DDD Perspective Complex Technical Complex Domain Simple Domain Simple Technical
  • 34. Complex Domain Attack Order Finance Storage Shipping -1 -1 -1
  • 37. Making a change with surgical precision Payment Policy Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance
  • 38. What we would have done Payment Policy Cash Payment Confirm Reject Giro Bounce Giro Confirm Purchase Bank Insurance Giro Payment
  • 39. Micro-Service Hell • We’re moving towards more and more micro-services • Implemented by separate teams • How do we guarantee correct context mappings?
  • 40. Key Take Aways • Define each domain crafted for its purpose • Don’t be generic, be specific • Treat injection flaws as a modelling problem • Define your domain primitives • Draw your context maps
  • 43. Image References • [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/ • [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/ • [Cat - https://flic.kr/p/5paD1a] by mao_lini under license https://creativecommons.org/licenses/by/2.0/