POSSCON, profile picture
Uploaded byPOSSCON
PPTX, PDF431 views

Cyber Security and Open Source

The document addresses the intersection of cyber security and open-source software, emphasizing the importance of knowledge to counter fear and misconceptions about open-source tools. It outlines common security threats, debunks myths surrounding open source, and advocates for the effective use of open-source resources and processes in software development. The speaker, Chad Cravens, shares insights from his experience and encourages embracing agile methodologies to enhance software security.

Embed presentation

Downloaded 10 times
Cyber Security And Open Source Managing Expectations, Reducing Fears and Understanding Reality Chad Cravens Open Source Systems www.ossys.com
About The Speaker 1Open Source Systems – www.ossys.com 2007 - Graduate of New Mexico Institute of Mining and Technology (Scholarship for Service Recipient) 2007 – 2011 Federal Employee at SPAWAR (Space and Naval Warfare Systems Center) 2012 – Software Engineer at Small Wall St Firm 2014 – Founded Open Source Systems Chad Cravens Charleston, SC Software Fanatic Stickler for Software Quality and Security!
What Is Cyber Security? 2Open Source Systems – www.ossys.com The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this. - Confidentiality - Availability - Integrity
Life in the day of a Program Manager 3Open Source Systems – www.ossys.com Walk a day in her shoes….. People Personalities Customers Burn Rates Teams Processes Budgets Implementation IntegrationHiring Stakeholders Deadlines Vendors Technology
What is the Issue with Open Source? 3Open Source Systems – www.ossys.com Who’s afraid of the Boogey Man? False Expectations Appearing Real What is this “Open Source” thing? -- A FEAR of the unknown --
Let’s Use this Open Source Tool! 3Open Source Systems – www.ossys.com Billy Bob from dev team 6 suggests We use this open source product What is the license? Is it supported? Who developed it? What’s the cost? Is it accredited?
We are your Super-Vendor! 3Open Source Systems – www.ossys.com Mr. Big-Name Vendor in a suit says we should use their product instead What is the license? Is it supported? Who developed it? What’s the cost? Is it accredited? YES YES YES YES YES YES YES YES YES YES YES YES YES YES
Turn FEAR into Knowledge 3Open Source Systems – www.ossys.com The Right Tool for the Right Job
First, What are the threats? 3Open Source Systems – www.ossys.com • Zero-day Exploits • Web-Based Attacks • Ransomware • Social Media Scams • Phishing • Internet of Things • Mobile Attacks http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
Second, Debunk the Myths 3Open Source Systems – www.ossys.com First thing, “Open Source” is BIG: Operating Systems Enterprise Libraries Message Brokering Encryption Embedded Systems Programming Languages Front-End Development MVC Frameworks Network Devices Mobile
“Big Guys” Going Open Source 3Open Source Systems – www.ossys.com Tesla released all patents as open source Netflix custom software released as open source .NET Core is now open source Oracle acquired Sun, giving it Java and MySQL
Open Source in the Government 3Open Source Systems – www.ossys.com http://www.data.gov/ https://government.github.com/community/ http://mil-oss.org/ http://code.nasa.gov/ April, 2009 Whitehouse Report
Debunking Myths 3Open Source Systems – www.ossys.com “Open Source is Insecure” Reality: - Source code is not needed to circumvent security - Licensing has little effect on the security of software “Open Source is More Secure” Reality: - Open-sourcing bad / insecure code will not make it secure - Only good coding practices will create secure code - Having more reviewers may benefit the security of a project
Debunking Myths 3Open Source Systems – www.ossys.com “Anyone Can Contribute Malicious Code” Reality: - Projects have a core team of contributors - Additions to the code are analyzed before merged “Hackers Can More Easily Exploit” Reality: - Tools allow tracing of binaries, the exploit is in the binary not the code - Hackers do not need source code to exploit
Exploit Example! 23Open Source Systems – www.ossys.com Human Ingenuity Knows No Bounds <div style="background:url('javascript:alert(1)')"> The MySpace Worm – Samy Is My Hero <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')"> JavaScript in a background CSS attribute in a <div> tag: Putting javascript in an expr attribute <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')"> Putting javascript in an expr attribute <div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')"> Using newlines to bypass filtering of “javascript”
Security is About Management 23Open Source Systems – www.ossys.com Program Defensively! 1. Injection Flaws 2. Broken Authentication / Session Management 3. Cross-Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Control Access 8. Cross-Site Request Forgery 9. Using Components with Vulnerabilities 10. Unvalidated Redirects and Forwards
Security is About Knowledge 23Open Source Systems – www.ossys.com
Security is About Processes 23Open Source Systems – www.ossys.com Embrace Agile! What Agile Is Not: • A Buzzword for Companies • A Fad • A JIRA Account What Agile Is: • A Suite of Processes, Methodologies and Tools • Testing • Metrics • Automation
Use Open Source Effectively 23Open Source Systems – www.ossys.com Use ORM tools to help mitigate SQL injection Use unit testing to build test suites against your code Use Jenkins for testing and build automation Use SonarQube for code quality testing (PMD / FindBugs)
Use Open Source Effectively 23Open Source Systems – www.ossys.com Use OWASP Zap to dynamically scan web-based software Use picketlink for XACML policy enforcement Use OpenSSL for Cryptographic functions Use AspectJ for Logging and configuration management
Use Open Security Standards 23Open Source Systems – www.ossys.com
Use Mature Open Source Projects 23Open Source Systems – www.ossys.com
Roots in Open Source 23Open Source Systems – www.ossys.com Cyber Security has roots in Open Source
Open Source Cyber Lab 23Open Source Systems – www.ossys.com
Thank you! 23Open Source Systems – www.ossys.com

More Related Content

PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Empowering Application Security Protection in the World of DevOps
byIBM Security
 
PDF
How to find Zero day vulnerabilities
byMohammed A. Imran
 
PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPTX
Web application Security tools
byNico Penaredondo
 
PDF
OWASP TOP TEN 2017 RC1
byChema Alonso
 
PDF
Owasp Top 10
byShivam Porwal
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Empowering Application Security Protection in the World of DevOps
byIBM Security
 
How to find Zero day vulnerabilities
byMohammed A. Imran
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
byAnant Shrivastava
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Web application Security tools
byNico Penaredondo
 
OWASP TOP TEN 2017 RC1
byChema Alonso
 
Owasp Top 10
byShivam Porwal
 

What's hot

PPTX
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
byAlexander Leonov
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
PDF
Sophos Day Belgium - The IT Threat Landscape and what to look out for
bySophos Benelux
 
PPTX
Vulnerability Intelligence and Assessment with vulners.com
byAlexander Leonov
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PDF
We explain the security flaw that's freaking out the internet
byaditi agarwal
 
PPTX
Defending the Endpoint with Next-Gen Security
bySophos Benelux
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PDF
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
PPTX
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
PDF
10 Mistakes Hackers Want You to Make
byJoe Kutner
 
PPTX
How Malware Works - Understanding Software Vulnerabilities
byBunmi Sowande
 
PPTX
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
PPTX
Standards and methodology for application security assessment
byMykhailo Antonishyn
 
PDF
Web Application Security with PHP
byjikbal
 
PDF
Syrian Malware
byKaspersky
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PPTX
Building your Open Source Security stack
byHéctor Eryx Paredes Camacho
 
PDF
OWASP Mobile Top 10
byNowSecure
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
byAlexander Leonov
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
Sophos Day Belgium - The IT Threat Landscape and what to look out for
bySophos Benelux
 
Vulnerability Intelligence and Assessment with vulners.com
byAlexander Leonov
 
Web Application Penetration Testing Introduction
bygbud7
 
We explain the security flaw that's freaking out the internet
byaditi agarwal
 
Defending the Endpoint with Next-Gen Security
bySophos Benelux
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
Analysis of web application penetration testing
byEngr Md Yusuf Miah
 
10 Mistakes Hackers Want You to Make
byJoe Kutner
 
How Malware Works - Understanding Software Vulnerabilities
byBunmi Sowande
 
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
Standards and methodology for application security assessment
byMykhailo Antonishyn
 
Web Application Security with PHP
byjikbal
 
Syrian Malware
byKaspersky
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
Building your Open Source Security stack
byHéctor Eryx Paredes Camacho
 
OWASP Mobile Top 10
byNowSecure
 

Similar to Cyber Security and Open Source

PPTX
Open Security - Chad Cravens
byIT-oLogy
 
PDF
Open Source, Security, and Open Source Security.pdf
byegypt
 
PDF
Security in open source projects
byJose Manuel Ortega Candel
 
PPTX
Hacktoberfest'24 _ GDG on Campus BU.pptx
bynilaygupta3003
 
PPTX
Open source software
byjaimeacurry
 
PPTX
Open Source Security
bySander Temme
 
PDF
A kick-start into Open Source
byAbhiram Ravikumar
 
PDF
Open source software: The infrastructure impact
byRogue Wave Software
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
ODP
Barcamp: Open Source and Security
byJoshua L. Davis
 
PDF
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
PDF
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
bySouth Tyrol Free Software Conference
 
PPTX
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
byBlack Duck by Synopsys
 
PPTX
Introduction To Open Source
byUchechukwu Obimma
 
ODP
Open Source Software (OSS/FLOSS) and Security
byJoshua L. Davis
 
PDF
Why Governments Depend on Open Source for Secure, Private Email
byAll Things Open
 
PDF
Open vs Closed - Which is more secure?
bySYNAQ
 
PPT
Open Source
byaksrumalla
 
PPT
Open Source
byaksrumalla
 
PDF
20220603_pperego_openSUSE conference.pdf
byPaolo Perego
 
Open Security - Chad Cravens
byIT-oLogy
 
Open Source, Security, and Open Source Security.pdf
byegypt
 
Security in open source projects
byJose Manuel Ortega Candel
 
Hacktoberfest'24 _ GDG on Campus BU.pptx
bynilaygupta3003
 
Open source software
byjaimeacurry
 
Open Source Security
bySander Temme
 
A kick-start into Open Source
byAbhiram Ravikumar
 
Open source software: The infrastructure impact
byRogue Wave Software
 
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
Barcamp: Open Source and Security
byJoshua L. Davis
 
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
bySouth Tyrol Free Software Conference
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
byBlack Duck by Synopsys
 
Introduction To Open Source
byUchechukwu Obimma
 
Open Source Software (OSS/FLOSS) and Security
byJoshua L. Davis
 
Why Governments Depend on Open Source for Secure, Private Email
byAll Things Open
 
Open vs Closed - Which is more secure?
bySYNAQ
 
Open Source
byaksrumalla
 
Open Source
byaksrumalla
 
20220603_pperego_openSUSE conference.pdf
byPaolo Perego
 

More from POSSCON

PDF
Why Meteor.JS?
byPOSSCON
 
PDF
Vagrant 101
byPOSSCON
 
PDF
Tools for Open Source Systems Administration
byPOSSCON
 
PPTX
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
byPOSSCON
 
PPTX
Accelerating Application Delivery with OpenShift
byPOSSCON
 
PDF
Openstack 101
byPOSSCON
 
ODP
Community Building: The Open Source Way
byPOSSCON
 
PPTX
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
byPOSSCON
 
PDF
Software Defined Networking (SDN) for the Datacenter
byPOSSCON
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
ODP
Why Your Open Source Story Matters
byPOSSCON
 
PDF
How YARN Enables Multiple Data Processing Engines in Hadoop
byPOSSCON
 
PPTX
Google Summer of Code
byPOSSCON
 
PDF
Introduction to Hadoop
byPOSSCON
 
PDF
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
byPOSSCON
 
PDF
Intro to AngularJS
byPOSSCON
 
PDF
Docker 101: An Introduction
byPOSSCON
 
PDF
Graph the Planet!
byPOSSCON
 
PDF
Software Freedom Licensing: What You Must Know
byPOSSCON
 
PDF
Contributing to an Open Source Project 101
byPOSSCON
 
Why Meteor.JS?
byPOSSCON
 
Vagrant 101
byPOSSCON
 
Tools for Open Source Systems Administration
byPOSSCON
 
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...
byPOSSCON
 
Accelerating Application Delivery with OpenShift
byPOSSCON
 
Openstack 101
byPOSSCON
 
Community Building: The Open Source Way
byPOSSCON
 
I Know It Was MEAN, But I Cut the Cord to LAMP Anyway
byPOSSCON
 
Software Defined Networking (SDN) for the Datacenter
byPOSSCON
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
Why Your Open Source Story Matters
byPOSSCON
 
How YARN Enables Multiple Data Processing Engines in Hadoop
byPOSSCON
 
Google Summer of Code
byPOSSCON
 
Introduction to Hadoop
byPOSSCON
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
byPOSSCON
 
Intro to AngularJS
byPOSSCON
 
Docker 101: An Introduction
byPOSSCON
 
Graph the Planet!
byPOSSCON
 
Software Freedom Licensing: What You Must Know
byPOSSCON
 
Contributing to an Open Source Project 101
byPOSSCON
 

Recently uploaded

PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 

Cyber Security and Open Source

  • 1.
    Cyber Security And OpenSource Managing Expectations, Reducing Fears and Understanding Reality Chad Cravens Open Source Systems www.ossys.com
  • 2.
    About The Speaker 1OpenSource Systems – www.ossys.com 2007 - Graduate of New Mexico Institute of Mining and Technology (Scholarship for Service Recipient) 2007 – 2011 Federal Employee at SPAWAR (Space and Naval Warfare Systems Center) 2012 – Software Engineer at Small Wall St Firm 2014 – Founded Open Source Systems Chad Cravens Charleston, SC Software Fanatic Stickler for Software Quality and Security!
  • 3.
    What Is CyberSecurity? 2Open Source Systems – www.ossys.com The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this. - Confidentiality - Availability - Integrity
  • 4.
    Life in theday of a Program Manager 3Open Source Systems – www.ossys.com Walk a day in her shoes….. People Personalities Customers Burn Rates Teams Processes Budgets Implementation IntegrationHiring Stakeholders Deadlines Vendors Technology
  • 5.
    What is theIssue with Open Source? 3Open Source Systems – www.ossys.com Who’s afraid of the Boogey Man? False Expectations Appearing Real What is this “Open Source” thing? -- A FEAR of the unknown --
  • 6.
    Let’s Use thisOpen Source Tool! 3Open Source Systems – www.ossys.com Billy Bob from dev team 6 suggests We use this open source product What is the license? Is it supported? Who developed it? What’s the cost? Is it accredited?
  • 7.
    We are yourSuper-Vendor! 3Open Source Systems – www.ossys.com Mr. Big-Name Vendor in a suit says we should use their product instead What is the license? Is it supported? Who developed it? What’s the cost? Is it accredited? YES YES YES YES YES YES YES YES YES YES YES YES YES YES
  • 8.
    Turn FEAR intoKnowledge 3Open Source Systems – www.ossys.com The Right Tool for the Right Job
  • 9.
    First, What arethe threats? 3Open Source Systems – www.ossys.com • Zero-day Exploits • Web-Based Attacks • Ransomware • Social Media Scams • Phishing • Internet of Things • Mobile Attacks http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  • 10.
    Second, Debunk theMyths 3Open Source Systems – www.ossys.com First thing, “Open Source” is BIG: Operating Systems Enterprise Libraries Message Brokering Encryption Embedded Systems Programming Languages Front-End Development MVC Frameworks Network Devices Mobile
  • 11.
    “Big Guys” GoingOpen Source 3Open Source Systems – www.ossys.com Tesla released all patents as open source Netflix custom software released as open source .NET Core is now open source Oracle acquired Sun, giving it Java and MySQL
  • 12.
    Open Source inthe Government 3Open Source Systems – www.ossys.com http://www.data.gov/ https://government.github.com/community/ http://mil-oss.org/ http://code.nasa.gov/ April, 2009 Whitehouse Report
  • 13.
    Debunking Myths 3Open SourceSystems – www.ossys.com “Open Source is Insecure” Reality: - Source code is not needed to circumvent security - Licensing has little effect on the security of software “Open Source is More Secure” Reality: - Open-sourcing bad / insecure code will not make it secure - Only good coding practices will create secure code - Having more reviewers may benefit the security of a project
  • 14.
    Debunking Myths 3Open SourceSystems – www.ossys.com “Anyone Can Contribute Malicious Code” Reality: - Projects have a core team of contributors - Additions to the code are analyzed before merged “Hackers Can More Easily Exploit” Reality: - Tools allow tracing of binaries, the exploit is in the binary not the code - Hackers do not need source code to exploit
  • 15.
    Exploit Example! 23Open SourceSystems – www.ossys.com Human Ingenuity Knows No Bounds <div style="background:url('javascript:alert(1)')"> The MySpace Worm – Samy Is My Hero <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')"> JavaScript in a background CSS attribute in a <div> tag: Putting javascript in an expr attribute <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')"> Putting javascript in an expr attribute <div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')"> Using newlines to bypass filtering of “javascript”
  • 16.
    Security is AboutManagement 23Open Source Systems – www.ossys.com Program Defensively! 1. Injection Flaws 2. Broken Authentication / Session Management 3. Cross-Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Control Access 8. Cross-Site Request Forgery 9. Using Components with Vulnerabilities 10. Unvalidated Redirects and Forwards
  • 17.
    Security is AboutKnowledge 23Open Source Systems – www.ossys.com
  • 18.
    Security is AboutProcesses 23Open Source Systems – www.ossys.com Embrace Agile! What Agile Is Not: • A Buzzword for Companies • A Fad • A JIRA Account What Agile Is: • A Suite of Processes, Methodologies and Tools • Testing • Metrics • Automation
  • 19.
    Use Open SourceEffectively 23Open Source Systems – www.ossys.com Use ORM tools to help mitigate SQL injection Use unit testing to build test suites against your code Use Jenkins for testing and build automation Use SonarQube for code quality testing (PMD / FindBugs)
  • 20.
    Use Open SourceEffectively 23Open Source Systems – www.ossys.com Use OWASP Zap to dynamically scan web-based software Use picketlink for XACML policy enforcement Use OpenSSL for Cryptographic functions Use AspectJ for Logging and configuration management
  • 21.
    Use Open SecurityStandards 23Open Source Systems – www.ossys.com
  • 22.
    Use Mature OpenSource Projects 23Open Source Systems – www.ossys.com
  • 23.
    Roots in OpenSource 23Open Source Systems – www.ossys.com Cyber Security has roots in Open Source
  • 24.
    Open Source CyberLab 23Open Source Systems – www.ossys.com
  • 25.
    Thank you! 23Open SourceSystems – www.ossys.com