SlideShare a Scribd company logo

Secure Coding principles by example: Build Security In from the start - Carlo Bonamico - Codemotion Tech Meetup Tour 2015 - Genova

Codemotion
Codemotion

Secure Coding principles by example: Build Security In from the start by Carlo Bonamico presented in Genova during Codemotion Tech Meetup Tour 2015

Software
1 of 54
Download to read offline
@carlobonamico@codemotionit Secure Coding principles by example: Build Security In from the start Carlo Bonamico @carlobonamico carlo.bonamico@nispro.it http://www.nispro.it Genova, 29/10/2015 http://juggenova.wordpress.com
@carlobonamico@codemotionit Evolution of Application Security When I taught my first Web Application Security training – most participants had never heard of SQL Injection and XSS Thanks to many industry and community players (especially OWASP), – not to mention many high-profile incidents, things have started to change... Application Security Ensuring Application guarantees •Confidentiality •Integrity •Availability •Accountability of the Information it processes
@carlobonamico@codemotionit Are we doing better? It's 2015... we were promised flying cars... and what we got is... See also – http://www.cvedetails.com/vulnerabilities-by-types.php – https://www.whitehatsec.com/resource/stats.html
@carlobonamico@codemotionit Top Ten Web Application Risks – A1-Injection – A2-Broken Authentication and Session Management – A3-Cross-Site Scripting (XSS) – A4-Insecure Direct Object References – A5-Security Misconfiguration – A6-Sensitive Data Exposure – A7-Missing Function Level Access Control – A8-Cross-Site Request Forgery (CSRF) – A9-Using Components with Known Vulnerabilities – A10-Unvalidated Redirects and Forwards Can we avoid them just by end-of-project Test and Patches?
@carlobonamico@codemotionit First problem Spiderman's Uncle Ben version: With great power comes great responsibility... The Web Application Security version: With great power come more holes and greater risks! – increased Surface of Attack  Websockets, storage, apis... – https://html5sec.org/ – http://html5security.org/ – and once you penetrate the browser, you can do basically everything  and I mean it: calling APIs, install keyloggers, redirect user behaviour, capture private data –http://xenotix.in/  “most attack were already possible... but they are more powerful now” http://w3af.org/understanding-html5-security
@carlobonamico@codemotionit Second problem We are undergoing a wide architectural shift from To So many security assumptions do not hold true anymore! ServerPOST params HTML Browser Form-based input HTML rendering HTML templating Controllers, Interaction Logic Business Logic Server POST JSON JSON Browser HTML rendering HTML templating Business Logic Interaction Logic REST endpoints
@carlobonamico@codemotionit The cost of fixing a security bug ● Increases exponentially – With time – With project complexity – With intergation phases – With project advancement • Analysis-test-production
@carlobonamico@codemotionit So... We need to care about Security from the beginning of the project – During Analysis – During Architecture & Design – During Implementation – and obvioulsy final testing Making system secure is easy and almost effortless if you do it right from the beginning – much more expensive to add Security later – often just so expensive that we do not do it
@carlobonamico@codemotionit Secure Coding Principles Follow the principles of secure coding during Design and Implementation – and also deployment – Do not trust inputs – Minimize attack surface area (and window of opportunity) – Establish secure defaults – Principle of Least privilege – Principle of Defense in depth – Fail securely – Don’t trust services – Separation of duties (vs configuration) – Avoid security by obscurity – Keep security simple – Fix security issues correctly – If you can't protect, detect – Get your users involved
@carlobonamico@codemotionit Do not trust inputs Would you execute to the letter all inputs that the world sends to you?
@carlobonamico@codemotionit Do not trust inputs Any external input may carry an attack vector Identify all external inputs Filter and/or validate accordingly Do not use unvalidated external input – to perform security-sensitive operations – ideally, to perform any operation
@carlobonamico@codemotionit A3 - XSS Cross-Site-Scripting means that attacker can insert custom js code which is then displayed in the user browser – stored (input js in a field → DB → sent back to the page) – reflected (input js in the url, send the url to a user, js executed) – DOM-based (input triggers js logic that manipulates the DOM and insert custom js) Remember: any external input is UNTRUSTED! – so we must avoid mixing user input with js code The proper solution is ESCAPING: encoding the data so that the browser properly interprets it as plain text (and not js) – https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
@carlobonamico@codemotionit Remember Most vulnerabilities are not so serious by themselves – but became terrible if mixed  think Pepsi + Mentos XSS is an enabler for – phishing – browser-based MITM – session / auth token stealing – sensitive data extraction – img courtesy of http://www.delawaretoday.com/
@carlobonamico@codemotionit Minimize attack surface area
@carlobonamico@codemotionit Minimize attack surface area Surface Area – the less exposed entry points, the better – it is easier to protect a build with less doors and windows So, avoid unnecessary features, pages, inputs, libraries, instsalled components, etc.
@carlobonamico@codemotionit Minimize window of opportunity
@carlobonamico@codemotionit Technical definition Window of Opportunity – if there is a vulnerability, the time frame in which it can be exploited should be as short as possible – if I forget my door open, the longer I leave it open the riskier it is E.g. time validity of a reset password link
@carlobonamico@codemotionit Token Storage vs Session Duration In memory or sessionStorage – works only on current tab – automatically closed In localStorage – persistent – work across multiple tabs – requires explicit expiration https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs- html5-web-storage/
@carlobonamico@codemotionit Establish secure defaults
@carlobonamico@codemotionit Establish secure defaults The system should be secure by default Users / installers should deliberatedly need to make specific features more open if needed
@carlobonamico@codemotionit Secure defaults - examples A single MITM (Man in the Middle) and your “done” – as the attacker can put arbitrary code in your browser – so,  https://www.eff.org/Https-everywhere Be careful with CORS – Avoid Allow­Origin “*” unless you have very strong authentication and authorization Remember to tell the browser to enable stronger protection – typically through headers such as CSP – https://www.owasp.org/index.php/List_of_useful_HTTP_headers
@carlobonamico@codemotionit Positive model A "positive" security model (also known as "whitelist") is one that defines what is allowed, and rejects everything else. This should be contrasted with a "negative" (or "blacklist") security model, which defines what is disallowed, while implicitly allowing everything else. The benefit of using a positive model is that new attacks, not anticipated by the developer, will be prevented. However, the negative model can be quite tempting when you're trying to prevent an attack on your site.
@carlobonamico@codemotionit Principle of Least privilege
@carlobonamico@codemotionit Principle of Least privilege Any tool/component/library/process should run with the minimal privileges required to perform its function – ideally, gain more privileged access only for the short time it is actually required Important for damage control This includes – OS user – db access credentials – web service access credentials – security policies (e.g. JVM or browser policies)
@carlobonamico@codemotionit Principle of Defense in depth
@carlobonamico@codemotionit Principle of Defense in depth Relying only on the system being disconnected from a larger network, or on a perimeter-level check is not enough Have different layers of protection – e.g. UI / logic / DB
@carlobonamico@codemotionit Fail securely
@carlobonamico@codemotionit Fail securely Errors should always be managed – to limit unpredicatable behaviour Errors should not lead to access – default should be deny access Errors should not leak information – “could not connect to db X on server Y with user T and password Z” – stack traces Split information useful for the developer from information useful for the user
@carlobonamico@codemotionit Don’t trust services
@carlobonamico@codemotionit Don’t trust services If you do not manage it, it might already be compromised If you store sensitive information in external services – don't do it – and if you need, encrypt it
@carlobonamico@codemotionit Separation of duties
@carlobonamico@codemotionit The good side In our consulting/project/problem solving experience, the single biggest cause of – quality – performance – security problems is....
@carlobonamico@codemotionit The good side In our consulting/project/problem solving experience, the single biggest cause of – quality – performance – security problems is.... the mixing & coupling of UI and business logic
@carlobonamico@codemotionit Separation of duties Leverage good OO Design principles – DRY – separation of concerns – modularity Separate configuration from business logic
@carlobonamico@codemotionit Avoid security by obscurity
@carlobonamico@codemotionit Avoid security by obscurity Security should rely on specific keys/secrets/credentials not being known, not on the algorithm being unknown – split a smaller secret from the rest of the system – Kerchoff principle Techniques for reverse engineering are very powerful now – Java is very easy to decompile If it is obscure, maybe it has not been reviewed enough
@carlobonamico@codemotionit Keep security simple
@carlobonamico@codemotionit Keep security simple The less “moving parts”, the easier it is to check that everything is correct
@carlobonamico@codemotionit Fix security issues correctly
@carlobonamico@codemotionit Fix security issues correctly Beware of the “quick patch” – often leads to further bugs later on Five Whys – why was this problem here? – how to fix it – how to prevent it? – what do we need to prevent it? Treat security bugs as airplane crash – post-mortem – take measures
@carlobonamico@codemotionit Question to ask What if the rules change? What if an auditor wants to check if we actually follow the policy?
@carlobonamico@codemotionit Role Based Access Control Separating Role definition from Permission check – In each service / action, code checks that the user has the relevant permission if (subject.hasPermission(“deletePost”)) – Role Definition lists all the permissions  e.g. –Admin   detelePost, updatePost, readPost→ –anonymous   readPost→ Authorization system maps user/groups to list of roles – and computes the “merged” set of permissions active for the valid user  user is both Admin & Editor  Permissions are –changeSettings, deleteUser, addUser, deletePost,  modifyPost 
@carlobonamico@codemotionit Advantages Permission check is – focused, readable – easy to implement – easy to test – rarely changes Role definition is – centralized – easy to review – easy to change – as it tends to change often Secure Design Principle all parts of the system need to perform security checks but security check implementation should be centralized and not “spread” in the system
@carlobonamico@codemotionit If you can't protect, detect
@carlobonamico@codemotionit If you can't protect, detect If you know that an attack / issue is in progress – you can activate remediation measures Log and monitor – critical operations  auth failues, misconfigurations, privileged actions – resource usage Do this securely – do not log credentials and other user sensitive information
@carlobonamico@codemotionit Intrusion detection Detecting intrusions requires three elements: the capability to log security-relevant events procedures to ensure the logs are monitored regularly procedures to properly respond to an intrusion once detected You should log all security relevant information. Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack
@carlobonamico@codemotionit Application Layer Intrusion Detection Really, important! – Arguably one of the most important security mechanisms – Simply not done in the wild ESAPI Intrusion detection Key features – Log Intrusion – Logout User – Disable Account Configurable Thresholds
@carlobonamico@codemotionit Get your users involved If you lose it, call 800-999-666
@carlobonamico@codemotionit Code cannot do everything (at least with finite resources) Give users the info they need to identify and correct security issues themselves – Educate your users – Care about trust – feedback to user about his connection  last login  notify relevant changes and events
@YourTwitterHandle#DVXFR14{session hashtag} @carlobonamico@codemotionit A f nal w ord ... But isn't all that unnecessary complexity slowing down development of my critical project?
@carlobonamico@codemotionit A final word People tend to view Security as “overhead”, not adding value to the project The reality: – if you know what to pay attention to, minimal additional costs – also, in most cases, adding security just means following good design principles if you separate well concerns, adding security is easy – favor clarity of intent and code readability – favor composition over inheritance – test, test, test!  incorporate security checks in your tests This lets software adapt more easily to both requirements & security changes – easier to evolve incrementally & validating each step → see Continuous Delivery
@carlobonamico@codemotionit References
@carlobonamico@codemotionit References Owasp Secure Coding Principles – https://www.owasp.org/index.php/Secure_Coding_Principles OWASP Testing Guide – https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_ of_Contents SOLID Design Principles – http://butunclebob.com/ArticleS.UncleBob.PrinciplesOfOod
@carlobonamico@codemotionit Thank You for your attention Interested? – attend our Web Application Security / Angular trainings – engage us for Design/Code Reviews, Vulnerability Assessments & team mentoring Read more on – http://www.nispro.it – http://www.slideshare.net/carlo.bonamico Follow us on twitter – @nis_srl @carlobonamico  updates on Security, AngularJS, Continuous Delivery Contact me – carlo.bonamico@gmail.com / carlo.bonamico@nispro.it

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding PracticesThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application Carlo Bonamico
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 

More Related Content

What's hot

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 

What's hot (20)

OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Application Security
Application SecurityApplication Security
Application Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure code
Secure codeSecure code
Secure code
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Application Security
Application SecurityApplication Security
Application Security
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 

Similar to Secure Coding principles by example: Build Security In from the start - Carlo Bonamico - Codemotion Tech Meetup Tour 2015 - Genova

AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application Carlo Bonamico
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraCarlo Bonamico
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysisCarlo Dapino
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Krzysztof Kotowicz
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsHdiv Security
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slidesdfgrumpy
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 

Similar to Secure Coding principles by example: Build Security In from the start - Carlo Bonamico - Codemotion Tech Meetup Tour 2015 - Genova (20)

AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application AngularJS Security: defend your Single Page Application
AngularJS Security: defend your Single Page Application
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
Toronto mule meetup #5
Toronto mule meetup #5Toronto mule meetup #5
Toronto mule meetup #5
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdf
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design Flaws
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Application Security - Myth or Fact Slides
Application Security - Myth or Fact SlidesApplication Security - Myth or Fact Slides
Application Security - Myth or Fact Slides
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 

More from Codemotion

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Codemotion
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyCodemotion
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaCodemotion
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserCodemotion
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Codemotion
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Codemotion
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Codemotion
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Codemotion
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Codemotion
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Codemotion
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Codemotion
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Codemotion
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Codemotion
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Codemotion
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...Codemotion
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Codemotion
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Codemotion
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Codemotion
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Codemotion
 

More from Codemotion (20)

Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
 
Pompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending storyPompili - From hero to_zero: The FatalNoise neverending story
Pompili - From hero to_zero: The FatalNoise neverending story
 
Pastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storiaPastore - Commodore 65 - La storia
Pastore - Commodore 65 - La storia
 
Pennisi - Essere Richard Altwasser
Pennisi - Essere Richard AltwasserPennisi - Essere Richard Altwasser
Pennisi - Essere Richard Altwasser
 
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
Michel Schudel - Let's build a blockchain... in 40 minutes! - Codemotion Amst...
 
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
Richard Süselbeck - Building your own ride share app - Codemotion Amsterdam 2019
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
 
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 - Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
Francesco Baldassarri - Deliver Data at Scale - Codemotion Amsterdam 2019 -
 
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
Martin Förtsch, Thomas Endres - Stereoscopic Style Transfer AI - Codemotion A...
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
 
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
Lars Wolff - Performance Testing for DevOps in the Cloud - Codemotion Amsterd...
 
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
Sascha Wolter - Conversational AI Demystified - Codemotion Amsterdam 2019
 
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
Michele Tonutti - Scaling is caring - Codemotion Amsterdam 2019
 
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
Pat Hermens - From 100 to 1,000+ deployments a day - Codemotion Amsterdam 2019
 
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
James Birnie - Using Many Worlds of Compute Power with Quantum - Codemotion A...
 
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
Don Goodman-Wilson - Chinese food, motor scooters, and open source developmen...
 
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
Pieter Omvlee - The story behind Sketch - Codemotion Amsterdam 2019
 
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
Dave Farley - Taking Back “Software Engineering” - Codemotion Amsterdam 2019
 
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
Joshua Hoffman - Should the CTO be Coding? - Codemotion Amsterdam 2019
 

Recently uploaded

Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 

Recently uploaded (20)

Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 

Secure Coding principles by example: Build Security In from the start - Carlo Bonamico - Codemotion Tech Meetup Tour 2015 - Genova

  • 1. @carlobonamico@codemotionit Secure Coding principles by example: Build Security In from the start Carlo Bonamico @carlobonamico carlo.bonamico@nispro.it http://www.nispro.it Genova, 29/10/2015 http://juggenova.wordpress.com
  • 2. @carlobonamico@codemotionit Evolution of Application Security When I taught my first Web Application Security training – most participants had never heard of SQL Injection and XSS Thanks to many industry and community players (especially OWASP), – not to mention many high-profile incidents, things have started to change... Application Security Ensuring Application guarantees •Confidentiality •Integrity •Availability •Accountability of the Information it processes
  • 3. @carlobonamico@codemotionit Are we doing better? It's 2015... we were promised flying cars... and what we got is... See also – http://www.cvedetails.com/vulnerabilities-by-types.php – https://www.whitehatsec.com/resource/stats.html
  • 4. @carlobonamico@codemotionit Top Ten Web Application Risks – A1-Injection – A2-Broken Authentication and Session Management – A3-Cross-Site Scripting (XSS) – A4-Insecure Direct Object References – A5-Security Misconfiguration – A6-Sensitive Data Exposure – A7-Missing Function Level Access Control – A8-Cross-Site Request Forgery (CSRF) – A9-Using Components with Known Vulnerabilities – A10-Unvalidated Redirects and Forwards Can we avoid them just by end-of-project Test and Patches?
  • 5. @carlobonamico@codemotionit First problem Spiderman's Uncle Ben version: With great power comes great responsibility... The Web Application Security version: With great power come more holes and greater risks! – increased Surface of Attack  Websockets, storage, apis... – https://html5sec.org/ – http://html5security.org/ – and once you penetrate the browser, you can do basically everything  and I mean it: calling APIs, install keyloggers, redirect user behaviour, capture private data –http://xenotix.in/  “most attack were already possible... but they are more powerful now” http://w3af.org/understanding-html5-security
  • 6. @carlobonamico@codemotionit Second problem We are undergoing a wide architectural shift from To So many security assumptions do not hold true anymore! ServerPOST params HTML Browser Form-based input HTML rendering HTML templating Controllers, Interaction Logic Business Logic Server POST JSON JSON Browser HTML rendering HTML templating Business Logic Interaction Logic REST endpoints
  • 7. @carlobonamico@codemotionit The cost of fixing a security bug ● Increases exponentially – With time – With project complexity – With intergation phases – With project advancement • Analysis-test-production
  • 8. @carlobonamico@codemotionit So... We need to care about Security from the beginning of the project – During Analysis – During Architecture & Design – During Implementation – and obvioulsy final testing Making system secure is easy and almost effortless if you do it right from the beginning – much more expensive to add Security later – often just so expensive that we do not do it
  • 9. @carlobonamico@codemotionit Secure Coding Principles Follow the principles of secure coding during Design and Implementation – and also deployment – Do not trust inputs – Minimize attack surface area (and window of opportunity) – Establish secure defaults – Principle of Least privilege – Principle of Defense in depth – Fail securely – Don’t trust services – Separation of duties (vs configuration) – Avoid security by obscurity – Keep security simple – Fix security issues correctly – If you can't protect, detect – Get your users involved
  • 10. @carlobonamico@codemotionit Do not trust inputs Would you execute to the letter all inputs that the world sends to you?
  • 11. @carlobonamico@codemotionit Do not trust inputs Any external input may carry an attack vector Identify all external inputs Filter and/or validate accordingly Do not use unvalidated external input – to perform security-sensitive operations – ideally, to perform any operation
  • 12. @carlobonamico@codemotionit A3 - XSS Cross-Site-Scripting means that attacker can insert custom js code which is then displayed in the user browser – stored (input js in a field → DB → sent back to the page) – reflected (input js in the url, send the url to a user, js executed) – DOM-based (input triggers js logic that manipulates the DOM and insert custom js) Remember: any external input is UNTRUSTED! – so we must avoid mixing user input with js code The proper solution is ESCAPING: encoding the data so that the browser properly interprets it as plain text (and not js) – https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • 13. @carlobonamico@codemotionit Remember Most vulnerabilities are not so serious by themselves – but became terrible if mixed  think Pepsi + Mentos XSS is an enabler for – phishing – browser-based MITM – session / auth token stealing – sensitive data extraction – img courtesy of http://www.delawaretoday.com/
  • 15. @carlobonamico@codemotionit Minimize attack surface area Surface Area – the less exposed entry points, the better – it is easier to protect a build with less doors and windows So, avoid unnecessary features, pages, inputs, libraries, instsalled components, etc.
  • 17. @carlobonamico@codemotionit Technical definition Window of Opportunity – if there is a vulnerability, the time frame in which it can be exploited should be as short as possible – if I forget my door open, the longer I leave it open the riskier it is E.g. time validity of a reset password link
  • 18. @carlobonamico@codemotionit Token Storage vs Session Duration In memory or sessionStorage – works only on current tab – automatically closed In localStorage – persistent – work across multiple tabs – requires explicit expiration https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs- html5-web-storage/
  • 20. @carlobonamico@codemotionit Establish secure defaults The system should be secure by default Users / installers should deliberatedly need to make specific features more open if needed
  • 21. @carlobonamico@codemotionit Secure defaults - examples A single MITM (Man in the Middle) and your “done” – as the attacker can put arbitrary code in your browser – so,  https://www.eff.org/Https-everywhere Be careful with CORS – Avoid Allow­Origin “*” unless you have very strong authentication and authorization Remember to tell the browser to enable stronger protection – typically through headers such as CSP – https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  • 22. @carlobonamico@codemotionit Positive model A "positive" security model (also known as "whitelist") is one that defines what is allowed, and rejects everything else. This should be contrasted with a "negative" (or "blacklist") security model, which defines what is disallowed, while implicitly allowing everything else. The benefit of using a positive model is that new attacks, not anticipated by the developer, will be prevented. However, the negative model can be quite tempting when you're trying to prevent an attack on your site.
  • 24. @carlobonamico@codemotionit Principle of Least privilege Any tool/component/library/process should run with the minimal privileges required to perform its function – ideally, gain more privileged access only for the short time it is actually required Important for damage control This includes – OS user – db access credentials – web service access credentials – security policies (e.g. JVM or browser policies)
  • 26. @carlobonamico@codemotionit Principle of Defense in depth Relying only on the system being disconnected from a larger network, or on a perimeter-level check is not enough Have different layers of protection – e.g. UI / logic / DB
  • 28. @carlobonamico@codemotionit Fail securely Errors should always be managed – to limit unpredicatable behaviour Errors should not lead to access – default should be deny access Errors should not leak information – “could not connect to db X on server Y with user T and password Z” – stack traces Split information useful for the developer from information useful for the user
  • 30. @carlobonamico@codemotionit Don’t trust services If you do not manage it, it might already be compromised If you store sensitive information in external services – don't do it – and if you need, encrypt it
  • 32. @carlobonamico@codemotionit The good side In our consulting/project/problem solving experience, the single biggest cause of – quality – performance – security problems is....
  • 33. @carlobonamico@codemotionit The good side In our consulting/project/problem solving experience, the single biggest cause of – quality – performance – security problems is.... the mixing & coupling of UI and business logic
  • 34. @carlobonamico@codemotionit Separation of duties Leverage good OO Design principles – DRY – separation of concerns – modularity Separate configuration from business logic
  • 36. @carlobonamico@codemotionit Avoid security by obscurity Security should rely on specific keys/secrets/credentials not being known, not on the algorithm being unknown – split a smaller secret from the rest of the system – Kerchoff principle Techniques for reverse engineering are very powerful now – Java is very easy to decompile If it is obscure, maybe it has not been reviewed enough
  • 38. @carlobonamico@codemotionit Keep security simple The less “moving parts”, the easier it is to check that everything is correct
  • 40. @carlobonamico@codemotionit Fix security issues correctly Beware of the “quick patch” – often leads to further bugs later on Five Whys – why was this problem here? – how to fix it – how to prevent it? – what do we need to prevent it? Treat security bugs as airplane crash – post-mortem – take measures
  • 41. @carlobonamico@codemotionit Question to ask What if the rules change? What if an auditor wants to check if we actually follow the policy?
  • 42. @carlobonamico@codemotionit Role Based Access Control Separating Role definition from Permission check – In each service / action, code checks that the user has the relevant permission if (subject.hasPermission(“deletePost”)) – Role Definition lists all the permissions  e.g. –Admin   detelePost, updatePost, readPost→ –anonymous   readPost→ Authorization system maps user/groups to list of roles – and computes the “merged” set of permissions active for the valid user  user is both Admin & Editor  Permissions are –changeSettings, deleteUser, addUser, deletePost,  modifyPost 
  • 43. @carlobonamico@codemotionit Advantages Permission check is – focused, readable – easy to implement – easy to test – rarely changes Role definition is – centralized – easy to review – easy to change – as it tends to change often Secure Design Principle all parts of the system need to perform security checks but security check implementation should be centralized and not “spread” in the system
  • 45. @carlobonamico@codemotionit If you can't protect, detect If you know that an attack / issue is in progress – you can activate remediation measures Log and monitor – critical operations  auth failues, misconfigurations, privileged actions – resource usage Do this securely – do not log credentials and other user sensitive information
  • 46. @carlobonamico@codemotionit Intrusion detection Detecting intrusions requires three elements: the capability to log security-relevant events procedures to ensure the logs are monitored regularly procedures to properly respond to an intrusion once detected You should log all security relevant information. Detecting intrusions is important because otherwise you give the attacker unlimited time to perfect an attack
  • 47. @carlobonamico@codemotionit Application Layer Intrusion Detection Really, important! – Arguably one of the most important security mechanisms – Simply not done in the wild ESAPI Intrusion detection Key features – Log Intrusion – Logout User – Disable Account Configurable Thresholds
  • 48. @carlobonamico@codemotionit Get your users involved If you lose it, call 800-999-666
  • 49. @carlobonamico@codemotionit Code cannot do everything (at least with finite resources) Give users the info they need to identify and correct security issues themselves – Educate your users – Care about trust – feedback to user about his connection  last login  notify relevant changes and events
  • 50. @YourTwitterHandle#DVXFR14{session hashtag} @carlobonamico@codemotionit A f nal w ord ... But isn't all that unnecessary complexity slowing down development of my critical project?
  • 51. @carlobonamico@codemotionit A final word People tend to view Security as “overhead”, not adding value to the project The reality: – if you know what to pay attention to, minimal additional costs – also, in most cases, adding security just means following good design principles if you separate well concerns, adding security is easy – favor clarity of intent and code readability – favor composition over inheritance – test, test, test!  incorporate security checks in your tests This lets software adapt more easily to both requirements & security changes – easier to evolve incrementally & validating each step → see Continuous Delivery
  • 53. @carlobonamico@codemotionit References Owasp Secure Coding Principles – https://www.owasp.org/index.php/Secure_Coding_Principles OWASP Testing Guide – https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_ of_Contents SOLID Design Principles – http://butunclebob.com/ArticleS.UncleBob.PrinciplesOfOod
  • 54. @carlobonamico@codemotionit Thank You for your attention Interested? – attend our Web Application Security / Angular trainings – engage us for Design/Code Reviews, Vulnerability Assessments & team mentoring Read more on – http://www.nispro.it – http://www.slideshare.net/carlo.bonamico Follow us on twitter – @nis_srl @carlobonamico  updates on Security, AngularJS, Continuous Delivery Contact me – carlo.bonamico@gmail.com / carlo.bonamico@nispro.it