SlideShare a Scribd company logo

Securing your web applications a pragmatic approach

Download as PPTX, PDF
Antonio Parata
Antonio Parata

This presentation describes a possible approach to follow to take care of the security of legacy code through the use of various OWASP projects.

Technology
1 of 25
Securing your web applications: a pragmatic approach Antonio Parata - an.parata@reply.it Roma 12/12/2014
Who am I? - Head of Reply Communication Valley R&D group - Passionate about functional programming (F#) and occasional tools developer (http://nebula.tools) - Passionate about software security - Board member of OWASP Italy (Co-Author of OWASP Testing Guide v2 e v3)
Introduction What does legacy application mean? - An application difficult to modify/maintain - An application lacking documentation - An application writtent “a long time ago” (… in cobol) “…to me, legacy code is simply code without tests.” Michael C. Feathers author of Working Effectively With Legacy Code
Introduction Why talk about legacy application? A pragmatic approach – The goal is securing an application and not learning how to compromise its security – You have to know the most common vulnerabilities anyway
Approach 1. Perform a security assessment activity in order to evaluate the current state of security 2. Start to focus your activities in order to improve the application security. - Don’t limit yourself to fixing of the vulnerabilities reported in the security assessment report 3. Verify your progress
Approach Which activity is advisable to be first executed? - Code Inspection - Security Testing - Penetration Test Ref.Capers Jones - Software Engineering Best Practices. Lessons from Successful Projects in the Top Companies (McGraw-Hill, 2010)
OWASP Top Ten Useful to have an idea of the most common threats Streamlined enough to be easly read even from security inexperts.
OWASP - Proactive Controls for Developers Provides a Top Ten of the most important security controls that must be considered for the security of the application
OWASP - Proactive Controls for Developers - Parameterize Queries $stmt = $dbh->prepare("update users set email=:new_email where id=:user_id"); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
OWASP - Proactive Controls for Developers – Encode Data It starts with a < to end with a
OWASP - Proactive Controls for Developers – Encode Data The majority of modern Web Development Frameworks includes preset encoding capability. If your are in doubt: Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/Category:OWASP_Encoding_Project ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API .NET AntiXSS Library (v4.3 NuGet released June 2, 2014) – http://www.nuget.org/packages/AntiXss/
OWASP - Proactive Controls for Developers – Validate All Inputs In most cases the expected input has a well defined format… …ensure that the format is correclty applied! Approachs: Whitelist  what is not allowed is refused Blacklist what is malicious is blocked
OWASP - Proactive Controls for Developers – Implement Appropriate Access Controls Various consolidated models exist: RBAC, ACL Access Control code can be very complex to implement. Some suggestions: All the requests must pass through the access control code: - Deny by default - Don't reinvent the wheel
OWASP - Proactive Controls for Developers – Establish Identity and Authentication Controls Authentication is the process that verifies that an entity is really what it says it is. Once authenticated, a session is usually created Make sure that - All the passwords are salted and stored in a safe way (eg. By using the BCrypt alghorithm) - The session token is appropriately protected and not predictable (tipically it is enough to use the features of the following framework)
OWASP - Proactive Controls for Developers – Protect Data and Privacy All sensitive data have to be sent through a secure channel - Using HTTPS for sensitive data transmission - Using antitampering mechanism to make sure that data can’t be modified arbitrarily by the user.
OWASP - Proactive Controls for Developers – Implementing Loggin and Intrusion Detection Logging is not performed only during debugging phase Make sure that: - Log every single sensitive action (login, password change,…) - Store log in a secure place - Don’t include sensitive information inside log content (password, session token, …) Ensure that logs are analyzed by a security analyst or by a security system and that appropriate actions are taken if something happens.
OWASP - Proactive Controls for Developers – Leverage Security Features of Frameworks and Security Libraries According to the programming language used, there could be different frameworks that provide a baseline for implementing security features. Those frameworks are tipically well writtent and with a stable code base. But make sure that you are always updated with new unknown vulnerabilities
OWASP - Proactive Controls for Developers – Include Security - Specific Requirements It is never too late to consider new security requirements Consider: 1. Security Features and Functions 2. Business Logic Abuse Cases 3. Data Classification and Privacy Requirements
OWASP - Proactive Controls for Developers – Design and Architect Security In In Legacy application it is difficult to change the architecture, consider however the following points: - Attack surface - Used frameworks - Specific vulneabilities that are more common in the language used and/or in the tools used
Trust but verify OWASP - Proactive Controls for Developers is a guide that helps developers to secure their applications code But you have to be sure that the written code is really secure OWASP Application Security Verification Standard (ASVS)
OWASP - ASVS “The first aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and the level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.”https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP - ASVS
OWASP – ASVS Requirements V2: Authentication Verification Requirements V3: Session Management Verification Requirements V4: Access Control Verification Requirements V5: Malicious Input Handling Verification Requirements V7: Cryptography at Rest Verification Requirements V8: Error Handling and Logging Verification Requirements V9: Data Protection Verification Requirements V10: Communications Security Verification Requirements V11: HTTP Security Verification Requirements V13: Malicious Controls Verification Requirements V15: Business Logic Verification Requirements V16: Files and Resources Verification Requirements V17: Mobile Verification Requirements
Conclusions 1. Verify the current state of your application security, performing: - Security Testing - Code Inspection 2. Apply effective security controls in your code (Proactive Controls) 3. Verify that the written code is really secure (ASVS) 4. Repeat the process from step 1 on a regular basis.
Q&A

Recommended

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
Jose Manuel Ortega Candel
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 

Recommended

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
Jose Manuel Ortega Candel
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
Denis Zakharov
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?
Antonio Parata
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Antonio Parata
 

More Related Content

What's hot

Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
Denis Zakharov
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 

What's hot (20)

Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 

Viewers also liked

EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?
Antonio Parata
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Antonio Parata
 
Web Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code ReviewWeb Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code Review
Antonio Parata
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
Owasp lapse
Owasp lapseOwasp lapse
Owasp lapse
n|u - The Open Security Community
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
Bernardo Damele A. G.
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Masoud Kalali
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 

Viewers also liked (15)

EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?EyePyramid and other .NET malware. How to analyze them?
EyePyramid and other .NET malware. How to analyze them?
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
 
Web Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code ReviewWeb Application Security: Bug Hunting e Code Review
Web Application Security: Bug Hunting e Code Review
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
Owasp lapse
Owasp lapseOwasp lapse
Owasp lapse
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)Advanced SQL injection to operating system full control (short version)
Advanced SQL injection to operating system full control (short version)
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 

Similar to Securing your web applications a pragmatic approach

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
Luis A. Solís
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
alessiomarziali
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 

Similar to Securing your web applications a pragmatic approach (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 

More from Antonio Parata

Demystify web application vulnerability assessment
Demystify web application vulnerability assessmentDemystify web application vulnerability assessment
Demystify web application vulnerability assessment
Antonio Parata
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspective
Antonio Parata
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 

More from Antonio Parata (11)

Demystify web application vulnerability assessment
Demystify web application vulnerability assessmentDemystify web application vulnerability assessment
Demystify web application vulnerability assessment
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspective
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
 
Owasp Day 3
Owasp Day 3Owasp Day 3
Owasp Day 3
 
Smau 2006
Smau 2006Smau 2006
Smau 2006
 
Smau 2007
Smau 2007Smau 2007
Smau 2007
 
Hat 2008
Hat 2008Hat 2008
Hat 2008
 
Openexp 2006
Openexp 2006Openexp 2006
Openexp 2006
 
Nss 2007
Nss 2007Nss 2007
Nss 2007
 
Infosecurity 2007
Infosecurity 2007Infosecurity 2007
Infosecurity 2007
 
Infosecurity 2008
Infosecurity 2008Infosecurity 2008
Infosecurity 2008
 

Recently uploaded

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Securing your web applications a pragmatic approach

  • 1. Securing your web applications: a pragmatic approach Antonio Parata - an.parata@reply.it Roma 12/12/2014
  • 2. Who am I? - Head of Reply Communication Valley R&D group - Passionate about functional programming (F#) and occasional tools developer (http://nebula.tools) - Passionate about software security - Board member of OWASP Italy (Co-Author of OWASP Testing Guide v2 e v3)
  • 3. Introduction What does legacy application mean? - An application difficult to modify/maintain - An application lacking documentation - An application writtent “a long time ago” (… in cobol) “…to me, legacy code is simply code without tests.” Michael C. Feathers author of Working Effectively With Legacy Code
  • 4. Introduction Why talk about legacy application? A pragmatic approach – The goal is securing an application and not learning how to compromise its security – You have to know the most common vulnerabilities anyway
  • 5. Approach 1. Perform a security assessment activity in order to evaluate the current state of security 2. Start to focus your activities in order to improve the application security. - Don’t limit yourself to fixing of the vulnerabilities reported in the security assessment report 3. Verify your progress
  • 6. Approach Which activity is advisable to be first executed? - Code Inspection - Security Testing - Penetration Test Ref.Capers Jones - Software Engineering Best Practices. Lessons from Successful Projects in the Top Companies (McGraw-Hill, 2010)
  • 7. OWASP Top Ten Useful to have an idea of the most common threats Streamlined enough to be easly read even from security inexperts.
  • 8. OWASP - Proactive Controls for Developers Provides a Top Ten of the most important security controls that must be considered for the security of the application
  • 9. OWASP - Proactive Controls for Developers - Parameterize Queries $stmt = $dbh->prepare("update users set email=:new_email where id=:user_id"); $stmt->bindParam(':new_email', $email); $stmt->bindParam(':user_id', $id);
  • 10. OWASP - Proactive Controls for Developers – Encode Data It starts with a < to end with a
  • 11. OWASP - Proactive Controls for Developers – Encode Data The majority of modern Web Development Frameworks includes preset encoding capability. If your are in doubt: Ruby on Rails – http://api.rubyonrails.org/classes/ERB/Util.html Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP – https://www.owasp.org/index.php/Category:OWASP_Encoding_Project ESAPI – PHP.NET, Python, Classic ASP, Cold Fusion – https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API .NET AntiXSS Library (v4.3 NuGet released June 2, 2014) – http://www.nuget.org/packages/AntiXss/
  • 12. OWASP - Proactive Controls for Developers – Validate All Inputs In most cases the expected input has a well defined format… …ensure that the format is correclty applied! Approachs: Whitelist  what is not allowed is refused Blacklist what is malicious is blocked
  • 13. OWASP - Proactive Controls for Developers – Implement Appropriate Access Controls Various consolidated models exist: RBAC, ACL Access Control code can be very complex to implement. Some suggestions: All the requests must pass through the access control code: - Deny by default - Don't reinvent the wheel
  • 14. OWASP - Proactive Controls for Developers – Establish Identity and Authentication Controls Authentication is the process that verifies that an entity is really what it says it is. Once authenticated, a session is usually created Make sure that - All the passwords are salted and stored in a safe way (eg. By using the BCrypt alghorithm) - The session token is appropriately protected and not predictable (tipically it is enough to use the features of the following framework)
  • 15. OWASP - Proactive Controls for Developers – Protect Data and Privacy All sensitive data have to be sent through a secure channel - Using HTTPS for sensitive data transmission - Using antitampering mechanism to make sure that data can’t be modified arbitrarily by the user.
  • 16. OWASP - Proactive Controls for Developers – Implementing Loggin and Intrusion Detection Logging is not performed only during debugging phase Make sure that: - Log every single sensitive action (login, password change,…) - Store log in a secure place - Don’t include sensitive information inside log content (password, session token, …) Ensure that logs are analyzed by a security analyst or by a security system and that appropriate actions are taken if something happens.
  • 17. OWASP - Proactive Controls for Developers – Leverage Security Features of Frameworks and Security Libraries According to the programming language used, there could be different frameworks that provide a baseline for implementing security features. Those frameworks are tipically well writtent and with a stable code base. But make sure that you are always updated with new unknown vulnerabilities
  • 18. OWASP - Proactive Controls for Developers – Include Security - Specific Requirements It is never too late to consider new security requirements Consider: 1. Security Features and Functions 2. Business Logic Abuse Cases 3. Data Classification and Privacy Requirements
  • 19. OWASP - Proactive Controls for Developers – Design and Architect Security In In Legacy application it is difficult to change the architecture, consider however the following points: - Attack surface - Used frameworks - Specific vulneabilities that are more common in the language used and/or in the tools used
  • 20. Trust but verify OWASP - Proactive Controls for Developers is a guide that helps developers to secure their applications code But you have to be sure that the written code is really secure OWASP Application Security Verification Standard (ASVS)
  • 21. OWASP - ASVS “The first aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and the level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.”https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
  • 23. OWASP – ASVS Requirements V2: Authentication Verification Requirements V3: Session Management Verification Requirements V4: Access Control Verification Requirements V5: Malicious Input Handling Verification Requirements V7: Cryptography at Rest Verification Requirements V8: Error Handling and Logging Verification Requirements V9: Data Protection Verification Requirements V10: Communications Security Verification Requirements V11: HTTP Security Verification Requirements V13: Malicious Controls Verification Requirements V15: Business Logic Verification Requirements V16: Files and Resources Verification Requirements V17: Mobile Verification Requirements
  • 24. Conclusions 1. Verify the current state of your application security, performing: - Security Testing - Code Inspection 2. Apply effective security controls in your code (Proactive Controls) 3. Verify that the written code is really secure (ASVS) 4. Repeat the process from step 1 on a regular basis.
  • 25. Q&A