The document summarizes a presentation on Java EE 6 security best practices using the GlassFish application server. It discusses the OWASP Top 10 security risks and provides recommendations for preventing each one when developing Java EE applications. It also analyzes the security of the sample Galleria application and identifies vulnerabilities. The presentation aims to raise awareness of common security issues and provide guidance for building more secure Java EE applications.
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
How to Do a Performance Audit of Your .NET WebsiteDNN
The hardest part about website performance optimization is identifying the root cause.
In this presentation, Bruce Chapman, Director of Cloud and Web Operations at DNN, shows you how to perform a comprehensive performance audit of your .NET website.
You’ll learn how to uncover the causes of performance issues, and understand that improving performance is often straightforward once the root cause is identified.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.
How to Do a Performance Audit of Your .NET WebsiteDNN
The hardest part about website performance optimization is identifying the root cause.
In this presentation, Bruce Chapman, Director of Cloud and Web Operations at DNN, shows you how to perform a comprehensive performance audit of your .NET website.
You’ll learn how to uncover the causes of performance issues, and understand that improving performance is often straightforward once the root cause is identified.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
How to Harden the Security of Your .NET WebsiteDNN
What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits.
In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites.
Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.
Slides form my talk - Essential security measures in ASP.NET MVC . More info on - https://hryniewski.net/essential-security-measures-in-asp-net-mvc-resources-for-talk/
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
Security in applications is a never-ending story. Most of the knowledge about how to build secure applications is derived from knowledge and experience. And we've all done the same mistakes every Java EE developer does over and over again. But how to solve the real business requirements behind access and authorization with Java EE? Can I have a 15k rights matrix? Does that perform? How to secure the transport layer? How does session binding works? Can I implement 2-Factor-Authentication? And what about social integrations? This talk outlines the key capabilities of the Java EE platform and introduces the audience to additional frameworks and concepts which do help by implementing all kinds of security requirements in Java EE based applications.
This presentation explains how to perform security testing using ZAP in Salesforce .Learn how to Install and configure ZAP to Automate Security Testing !!
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.
By Dinis Cruz, Abraham Kang and Alvaro Muñoz
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
With IoT being the buzz and all operating systems being integrated with central network and intruder in that can create major devastations than an IT system. For example, if someone can intrude into an electric utility network and operate on "SCADA" and entire network going down can be a bizarre or just assume the control system configured for addressing backup mechanism being turn down can result in blackouts.
Preventing Such havocs is what security framework should look into.
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas.
- Servlet 4 will embrace the new HTTP/2 protocol.
- JSON-B will bring the same high level features of JAXB to the JSON data format.
- Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client.
- MVC will be the Action based MVC complement of the Component based MVC of JSF.
- Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing.
The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.
These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:
- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations
Code: https://github.com/r3ver53r/AppSecEU_2016
Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf
Octopus framework; Permission based security framework for Java EERudy De Busscher
Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.
Architecting Large Enterprise Java ProjectsMarkus Eisele
In the past I've been building component oriented applications with what I had at hand. Mostly driven by the features available in the Java EE standard to be "portable" and easy to use. Looking back this has been a perfect fit for many customers and applications. With an increasing demand for highly integrated applications which use already available services and processes from all over the place (departmental, central or even cloud services) this approach starts to feel more and more outdated. And this feel does not come from a technology perspective but from all the requirements around it. Having this in mind this post is the starting point of a series of how-to's and short tutorials which aim to showcase some more diverse ways of building (Enterprise Java) applications that fit better into today's requirements and landscapes.
Architecting Large Enterprise Java ProjectsMarkus Eisele
In the past I've been building component oriented applications with what I had at hand. Mostly driven by the features available in the Java EE standard to be "portable" and easy to use. Looking back this has been a perfect fit for many customers and applications. With an increasing demand for highly integrated applications which use already available services and processes from all over the place (departmental, central or even cloud services) this approach starts to feel more and more outdated. And this feel does not come from a technology perspective but from all the requirements around it. Having this in mind this post is the starting point of a series of how-to's and short tutorials which aim to showcase some more diverse ways of building (Java EE) applications that fit better into today's requirements and landscapes.
How to Harden the Security of Your .NET WebsiteDNN
What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits.
In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites.
Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.
Slides form my talk - Essential security measures in ASP.NET MVC . More info on - https://hryniewski.net/essential-security-measures-in-asp-net-mvc-resources-for-talk/
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
Security in applications is a never-ending story. Most of the knowledge about how to build secure applications is derived from knowledge and experience. And we've all done the same mistakes every Java EE developer does over and over again. But how to solve the real business requirements behind access and authorization with Java EE? Can I have a 15k rights matrix? Does that perform? How to secure the transport layer? How does session binding works? Can I implement 2-Factor-Authentication? And what about social integrations? This talk outlines the key capabilities of the Java EE platform and introduces the audience to additional frameworks and concepts which do help by implementing all kinds of security requirements in Java EE based applications.
This presentation explains how to perform security testing using ZAP in Salesforce .Learn how to Install and configure ZAP to Automate Security Testing !!
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.
By Dinis Cruz, Abraham Kang and Alvaro Muñoz
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
With IoT being the buzz and all operating systems being integrated with central network and intruder in that can create major devastations than an IT system. For example, if someone can intrude into an electric utility network and operate on "SCADA" and entire network going down can be a bizarre or just assume the control system configured for addressing backup mechanism being turn down can result in blackouts.
Preventing Such havocs is what security framework should look into.
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas.
- Servlet 4 will embrace the new HTTP/2 protocol.
- JSON-B will bring the same high level features of JAXB to the JSON data format.
- Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client.
- MVC will be the Action based MVC complement of the Component based MVC of JSF.
- Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing.
The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.
These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:
- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations
Code: https://github.com/r3ver53r/AppSecEU_2016
Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf
Octopus framework; Permission based security framework for Java EERudy De Busscher
Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.
Architecting Large Enterprise Java ProjectsMarkus Eisele
In the past I've been building component oriented applications with what I had at hand. Mostly driven by the features available in the Java EE standard to be "portable" and easy to use. Looking back this has been a perfect fit for many customers and applications. With an increasing demand for highly integrated applications which use already available services and processes from all over the place (departmental, central or even cloud services) this approach starts to feel more and more outdated. And this feel does not come from a technology perspective but from all the requirements around it. Having this in mind this post is the starting point of a series of how-to's and short tutorials which aim to showcase some more diverse ways of building (Enterprise Java) applications that fit better into today's requirements and landscapes.
Architecting Large Enterprise Java ProjectsMarkus Eisele
In the past I've been building component oriented applications with what I had at hand. Mostly driven by the features available in the Java EE standard to be "portable" and easy to use. Looking back this has been a perfect fit for many customers and applications. With an increasing demand for highly integrated applications which use already available services and processes from all over the place (departmental, central or even cloud services) this approach starts to feel more and more outdated. And this feel does not come from a technology perspective but from all the requirements around it. Having this in mind this post is the starting point of a series of how-to's and short tutorials which aim to showcase some more diverse ways of building (Java EE) applications that fit better into today's requirements and landscapes.
From XaaS to Java EE – Which damn cloud is right for me? Markus Eisele
With Java EE 7 cloud should have been added to the specification. Allowing for a broad ecosystem of PaaS providers to jump on the train. Because of the missing maturity and field experiences this has been delayed to EE 8. However there are some offerings on the market already. This talk throws light onto how they differentiate from each other and which ones are the right ones for Java EE. Featuring: CloudBees, OpenShift, Elastic Beanstalk, Jelastic and Oracle Java Service.
Wild Flies and a Camel Java EE Integration StoriesMarkus Eisele
Apache Camel is one of the most complete integration frameworks out there. With more than 150 components and a large community it clearly has it's fans. Deploying the lightweight core is easy. Getting into modules and even more components makes this challenging. There are different approaches to ride that Camel. How to get the most out of it with Java EE and WildFly is exactly the topic of this session. It will introduce you to both Java EE 7 and Apache Camel in a very brief way and follows up with the different integration and deployment scenarios along with introducing the tools which help you the most on the way to your integration solution.
How would ESBs look like, if they were done today.Markus Eisele
Looking past former hype topics such as enterprise application integration, ESBs, and SOA, the fact is that the need for reliable integration solutions that are manageable and scalable is growing. More devices and datasources, combined with new and upcoming use cases and exciting wearables in a cloudified and heterogeneous infrastructure, require more bits and pieces than just a central ESB with some rules and point-to-point connections. What would that look like? And how can we keep the resultant solutions manageable? Attend this session to find out.
We're all aware of cloud computing and the operational ability to
easily create, configure and manage instances in an IaaS environment.
But many of us are not Unix system admins and just want to focus
on developing and deploying our Java applications. RedHat OpenShift
(which is of course open source) is a developer-friendly PaaS that offers
auto-scalability and reliability as native features. So if you are
tired of configuring and administering servers, come see how OpenShift
PaaS can make you a happier and more productive Java EE software
engineer. Learn about the base platform, how to use existing
developer frameworks (cartridges) and how to integrate them into
your development life cycle. And learn about the exciting Docker and Kubernetes
plans for OpenShift v3.
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUGMarkus Eisele
Slides for my vJUG session:
http://www.meetup.com/virtualJUG/events/221218531/
In the past I've been building component oriented applications with what I had at hand. Mostly driven by the features available in the Java EE standard to be "portable" and easy to use. Looking back this has been a perfect fit for many customers and applications. With an increasing demand for highly integrated applications which use already available services and processes from all over the place (departmental, central or even cloud services) this approach starts to feel more and more outdated. And this feel does not come from a technology perspective but from all the requirements around it. Having this in mind this post is the starting point of a series of how-to's and short tutorials which aim to showcase some more diverse ways of building (Java EE) applications that fit better into today's requirements and landscapes.
Java EE microservices architecture - evolving the monolithMarkus Eisele
With the ascent of DevOps, microservices, containers, and cloud-based development platforms, the gap between state-of-the-art solutions and the technology that enterprises typically support has greatly increased. But some enterprises are now looking to bridge that gap by building microservices-based architectures on top of Java EE.
In this webcast, Red Hat Developer Advocate Markus Eisele explores the possibilities for enterprises that want to move ahead with this architecture. However, the issue is complex: Java EE wasn't built with the distributed application approach in mind, but rather as one monolithic server runtime or cluster hosting many different applications. If you're part of an enterprise development team investigating the use of microservices with Java EE, this webcast will guide you to answers for getting started.
Nine Neins - where Java EE will never take youMarkus Eisele
Virtual JUG Session: http://www.meetup.com/virtualJUG/events/232052100/
With Microservices taking the software industry by storm, classical Enterprises are forced to re-think what they’ve been doing for almost a decade. It’s not the first time, that technology shocked the well-oiled machine to it’s core. We’ve seen software design paradigms changing over time and also project management methodologies evolving. Old hands might see this as another wave that will gently find it’s way to the shore of daily business. But this time it looks like the influence is bigger than anything we’ve seen before. And the interesting part is, that microservices aren’t new from the core. Talking about compartmentalization and introducing modules belongs to the core skills of architects. Our industry also learned about how to couple services and build them around organizational capabilities.
The really new part in microservices based architectures is the way how truly independent services are distributed and connected back together. Building an individual service is easy with all technologies. Building a system out of many is the real challenge because it introduces us to the problem space of distributed systems. And the difference to classical, centralized infrastructures couldn’t be bigger. There are very little concepts from the old world which still fit into a modern architecture.
And there are more differences between Java EE and distributed and reactive systems. For example, APIs are inherently synchronous, so most Java EE app servers have to scale by adding thread pools as so many things are blocking on I/O (remote JDBC calls, JTA calls, JNDI look ups, even JMS has a lot of synchronous parts). As we know adding thread pools doesn't get you too far in terms of scalability.
This talk is going to explore the nine most important differences between classical middleware and distributed, reactive microservices architectures and explains in which cases the distributed approach takes you, where Java EE never would.
Architecting for failure - Why are distributed systems hard?Markus Eisele
Devnexus 2017
As we architect our systems for greater demands, scale, uptime, and performance, the hardest thing to control becomes the environment in which we deploy and the subtle but crucial interactions between complicated systems. And microservices obviously are the way to go forward with those complicated systems. But what makes it so hard to build them? And why should you embrace failure instead of doing what we can do best: Preventing failure. This talk introduces you to the problem domain of a distributed system which consists of a couple of microservices. It shows how to build, deploy and orchestrate the chaos and introduces you to a couple of patterns to prevent and compensate failure.
Presentation given at the August 2014 Sydney Salesforce Developers Group. It looks at the OWASP Top 10 project, and how the vulnerabilities in that list can manifest themselves on the Force.com platform.
See the GitHub repo at the following link for the accompanying code: https://github.com/gbreavin/owasp-top10-salesforce
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
Learn about common web application security threats and how to avoid them in your code. We will discuss general security challenges and high level principles, example attacks, social engineering, browser security and more, providing best practices along the way. This talk is a good review of the topic for experienced developers, and is highly recommended for new programmers who have not been exposed to web application security challenges in the past.
This session is not specific to any particular server-side technology. We will not discuss network security (routers, DMZs) or OS security, as this talk is focused on web application developers.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
This webcast's agenda is:
1. Introduction to the OWASP Top TEN.
2. How to integrate the OWASP Top Ten in your SDLC.
3. How the OWASP Top Ten maps to compliance, standards and other drivers.
Sustainable Software Architecture - Open Tour DACH '22Markus Eisele
Rolling into summer in Europe, still recovering from the last two years another global thread pops back into people's minds. Extreme heat waves followed by severe weather phenomena remind all of us that climate change is a reality. As a father of two wonderful children that hopefully live beyond 2090, I was wondering what impact software architecture has on global warming and climate change and how I can build better and more sustainable solutions. This presentation and demo will provide you with tools, best practices and metrics (executives love numbers and dashboards) to prove the investment in Containers, OpenShift and a DevOps approach has a tangible return.
As presented at https://www.redhat.com/en/events/open-tour-geneva-2022
Quarkus is the new and shiny Kubernetes native framework that promises to solve everything you ever wanted. But what is the truth out there? How do some real-world scenarios look like and what is it really used for?
What happens when unicorns drink coffeeMarkus Eisele
Your ultimate guide to modern applications. What happened to our lovely three-tier systems and why is enterprise software development becoming increasingly complicated? Walk away with new inspirations on what to focus on in the next months and how to stay happy in all this madness.
Keynote: jlove Conference 2020
Stateful on Stateless - The Future of Applications in the CloudMarkus Eisele
Most developers building applications on top of Kubernetes are still mainly relying on stateless protocols and design. The problem is that focusing exclusively on a stateless design ignores the hardest part in distributed systems: managing state—your data.
The challenge is not designing and implementing the services themselves, but managing the space in between the services: data consistency guarantees, reliable communication, data replication and failover, component failure detection and recovery, sharding, routing, consensus algorithms and so on.
Kubernetes and Akka work well together since each being responsible for a different layer and function in the application stack. Kubernetes allows for coarse-grained container-level management of resilience and scalability. Akka allows for fine-grained entity-level management of resilience and scalability. This talk demonstrates how the two play together to deliver the future of stateful applications in the cloud.
Java in the age of containers - JUG Frankfurt/MMarkus Eisele
31.07.2019 Java in the Age of Containers and Serverless
https://sites.google.com/site/jugffm/home/31-07-2019-java-in-the-age-of-containers-and-serverless
Java in the Age of Containers and ServerlessMarkus Eisele
Java in 2019 was predicted to be business as usual by many. We have seen new Java releases coming out as planned, AdoptOpenJDK became the main trustful source of binaries and Oracle fighting for the trademark again by preventing the use of javax as namespace.
Everything looks like it would be a silent year for Java. But one thing seems also obvious. Java's popularity is not gaining any more traction. New language features keep it up to date but people are getting more selective when it comes to implementation choices. Especially in the age of containers and cloud infrastructures. How will Java continue to fit in? What are the advantages and what needs to be done?
As given 6/20/19 https://skillsmatter.com/meetups/12248-keynote-by-markus-eisele-on-java-in-the-age-of-containers-and-serverless#overview
Migrating from Java EE to cloud-native Reactive systemsMarkus Eisele
A lot of businesses that never before considered themselves as “technology companies” are now faced with digital modernization imperatives that force them to rethink their application and infrastructure architecture. On the path to becoming a digital, on-demand provider, development speed is the ultimate competitive advantage.
https://info.lightbend.com/webinar-java-ee-to-cloud-modernization-register.html
The world is moving from a model where data sits at rest, waiting for people to make requests of it, to where data is constantly moving and streams of data flow to and from devices with or without human interaction. Decisions need to be made based on these streams of data in real-time, models need to be updated, and intelligence needs to be gathered. In this context, our old-fashioned approach of CRUD REST APIs serving CRUD database calls just doesn't cut it. It's time we moved to a stream-centric view of the world.
https://jonthebeach.com/speakers/71/Markus+Eisele
Cloud wars - A LavaOne discussion in seven slidesMarkus Eisele
We had a great session titled "Cloud Wars" proposed and lead by Melissa McKay (@melissajmckay). I've introduced the pizza cloud model and some other thoughts around clouds that I found the time to put into some very few slides.
We talked about a lot more which did not make it into this. But it's a start :)
The world is moving from a model where data sits at rest, waiting for people to make requests of it, to where data is constantly moving, streams of data flow to and from devices with or without human interaction. Decisions need to be made based on these streams of data in real time, models need to be updated, intelligence needs to be learned. And our old-fashioned approach of CRUD REST APIs serving CRUD database calls just doesn't cut it, it's trying to fit a square peg into a round hole. It's time we moved to a stream-centric view of the world.
This talk will look at how Reactive Streams is shaping the future of Jakarta EE. I'll talk about some Reactive Streams based specifications that we're currently working on in the JDK, MicroProfile and Jakarta EE communities, as well as some potential big ideas to transform the way developers write their applications, such as event sourcing and CQRS, that Jakarta EE will likely adopt in future. We'll take a look at a hypothetical future Jakarta EE, at what a typical service will look like when streaming is embraced, and get a glimpse of how Jakarta EE can lead the world in standards for Reactive systems.
Reactive Integrations - Caveats and bumps in the road explained Markus Eisele
Understand the different approaches to integrate fast data and streams based frameworks into your legacy applications and learn about the advantages, disadvantages, caveats, and bumps in the road.
Stay productive while slicing up the monolithMarkus Eisele
Microservices-based architectures are in vogue. Over the last couple of years, we have learned how thought leaders implement them, and it seems like every other week we hear about how containers and platform-as-a-service offerings make them ultimately happen.
Tech Talent Night Copenhagen 11/22/17
https://greenticket.dk/techtalentnightcph
Stay productive while slicing up the monolith Markus Eisele
DevNexus 2017
Microservices-based architectures are en-vogue. The last couple of
years we have learned how the thought-leaders implement them, and
every other week we have heard about how containers and
Platform-as-a-Service offerings make them ultimately happen.
The problem is that the developers are almost forgotten and left alone
with provisioning and continuous delivery systems, containers and
resource schedulers, and frameworks and patterns to help slice
existing monoliths. How can we get back in control and efficiently
develop them without having to provision complete production-like
environments locally, by hand?
All the new buzzwords, frameworks, and hyped tools have made us forget
ourselves—Java developers–and what it means to be productive and have
fun building systems. The problem that we set out to solve is: how can
we run real-world Microservices-based systems on our local development
machines, managing provisioning, and orchestration of potentially
hundreds of services directly from a single command line tool, without
sacrificing productivity enablers like hot code reloading and instant
turnaround time?
During this talk, you’ll experience first-hand how much fun it can be
to develop large-scale Microservices-based systems. You will learn a
lot about what it takes to fail fast and recover and truly understand
the power of a fully integrated Microservices development environment.
CQRS and Event Sourcing for Java DevelopersMarkus Eisele
As presented at CJUG. Recording will be up here: http://www.meetup.com/ChicagoJUG/events/231837105/
As soon as an application becomes even moderately complex, CQRS and an Event Sourced architecture start making a lot of sense. The talk is focused on: - the challenges and tactics of separating the write model from the query model in a complex domain - how commands naturally lead to events and to an event based system, and - how events get projected into useful, eventually consistent views. Event Sourcing is one of those things that you really need to push through at the beginning (much like TDD) and that - once understood and internalized, will change the way you architect a system. This talk introduces you to the basic concepts and problem spaces to solve.
Taking the friction out of microservice frameworks with LagomMarkus Eisele
Lagom is a new framework for Java designed with microservices in mind. It aims to simplify the process of building microservice-based systems that communicate asynchronously, self-heal, scale elastically and remain responsive under load and under failure.
Many of the challenges of microservices are caused by the fact we use tools designed without them in mind. So, how can a framework made to build systems composed of microservices from the start offer us a better solution? Because Lagom is a tool that is highly opinionated and explicitly designed to make development and production with microservices easy, it brings back all the fun and productivity into programming while still enabling you to build a reactive, distributed, highly scalable and rock solid application.
By the end of this presentation, you'll have experienced first hand how creating systems of microservices on the JVM using Lagom is dead-simple, intuitive, frictionless and a lot of fun! And we’ll ask whether reactive microservices are potentially so much better than, for example, Java EE?
DevoxxUK https://cfp.devoxx.co.uk/2016/talk/UZA-8885/Taking_the_friction_out_of_microservice_frameworks_with_Lagom
10 Golden Social Media Rules for Developer Relations ManagerMarkus Eisele
Social media is great. Being in contact with people from all over the world and being able to help your community from everywhere is nothing short but amazing. Yet, there are a few things to keep in mind to use these tools to their full extend without failing. This session introduces you to some very basic communication skills and walks you through the 10 golden rules in social media.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
8. Galleria and Security
• Form based authentication
• JDBCRealm
• request.login(userId, new String(password));
• @RolesAllowed({ "RegisteredUsers" })
Enough? State-of-the-Art? Feeling-good-with-it™?
9. Motivation for this talk
• Seen a lot of Java EE out there with no or not
enough security.
• Providing you a starting point
• Having seen a lot – sharing something
• Making you aware about security
• Finding out about “the security state of
Galleria”
10. The Top 10 Most Critical Web
Application Security Risks
Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
11. What is OWASP?
• Open Web Application Security Project
• Improving the security of (web) application software
– Not-for-profit organization since 2001
– Raise interest in secure development
• Documents
– Top 10
– Cheat Sheets
– Development Guides
• Solutions
– Enterprise Security API (ESAPI)
– WebScarab
– WebGoat
13. What is it?
• Sending unintended data to applications
• Manipulating and reading Data stores (e.g. DB,
LDAP)
• Java EE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
– Database access (JPA, JDBC)
14. Worst-Practice Injection
String id = "x'; DROP TABLE members; --"; // user-input
Query query = em.createNativeQuery("SELECT * FROM PHOTO
WHERE ID =" + id, Photo.class);
Query query2 = em.createNativeQuery("SELECT * FROM MAG
WHERE ID ?1", Magazine.class);
query2.setParameter(1, id);
15. Prevent Injection
• Sanitize the input
• Escape/Quotesafe the input
• Use bound parameters (the PREPARE statement)
• Limit database permissions and segregate users
• Use stored procedures for database access (might
work)
• Isolate the webserver
• Configure error reporting
17. What is it?
• Inject malicious code into user interfaces
• Get access to browser information
– E.g. javascript:alert(document.cookie)
• Steal user’s session, steal sensitive data
• rewrite web page
• redirect user to phishing or malware site
• Java EE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
18. Worst Practices
• Don’t sanitize at all
<h:outputText value="#{user.content}" escape="false"/>
• Sanitize on your own
<a
href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">T
est</a>
19. Prevent
• Sanitize the input
• Escape/Quotesafe the input
• Use Cookie flags:
– httpOnly (prevents XSS access)
https://code.google.com/p/owasp-esapi-java/
20. A3 - Broken Authentication and
Session Management
21. What is it?
• Container Security vs. own solution
• Session Binding / Session Renewal
• Password Strength (length/complexity)
• Plain text passwords (http/https)
• Password recovery
• Number of factors used for authentication
• Java EE 6 affected:
– JAAS / JASPIC
– Filter / PhaseListener
– Container and Web-App configuration
22. Worst Practice
• Authentication over http
• Custom security filter
• Not using Container Functionality
• No password strength requirements
• No HttpSession binding
• Saving Passwords
• Not testing security
23. Best Practices
• Go with provided Standard Realms and
LoginModules whenever possible
• Use transport layer encryption (TLS/SSL)
• Use Cookie flags:
– secure (avoid clear text transmission)
25. What is it?
• Accessing domain objects with their PK
https://you.com/user/1 => https://you.com/user/21
• Opening opportunities for intruders
• Information hiding on the client
• Parameter value tampering
• Java EE 6 affected:
– All layers
– Especially data access
26. Worst Practice
• No data separation for users (tenants)
• No request mode access for data (RUD)
• No query constraints
27. Best Practices
• Use AccessReferenceMaps
• Use data-driven security
• Perform data authorization on the view
29. What is it?
• Basically a capture-replay attack
• Malicious code executes functions on your
behalf while being authenticated
• Deep links make this easier
• JavaEE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
30. Worst Practice
• Using a “secret Cookie”
• Only POST requests
• Wizard like transactions
• URL rewriting
31. Best Practices
• Add Unpredictability (tokens)
• CSRFPreventionForm
http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
• Use OWASP ESAPI
http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-
site-request-forgery-csrf/
33. What is it?
• Applies to
– Operating System
– Application Server
– Databases
– Additional Services
• Includes (beside _many_ others)
– Missing Patches
– All security relevant configuration
– Default accounts
34. Running GlassFish in a
Secure Environment
• Use the latest version (3.1.2.2)
• Enable secure admin (TLS/https)
• Use password aliasing
• Enable security manager and put forth a
proper security policy file
• Set correct file system permissions
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
35. Review the *.policy files
• server.policy and granted.policy
• Remove unused grants
• Add extra permissions only to applications or
modules that require them, not to all
applications deployed to a domain.
• Document your changes!
// Following grant block is only required by Connectors. If Connectors// are not in use
the recommendation is to remove this
grant.grant {
permission
javax.security.auth.PrivateCredentialPermission
"javax.resource.spi.security.PasswordCredential * "*"","read";};
36. Worst Practices
• Not to redirect the default pages
• Using any defaults like:
– Passwords: Admin, master password
– Network interface binding: Listening on 0.0.0.0
– Certificates: Self signed certificate
• Not restricting GlassFish user nor enabling
security manager.
• Same security config for all environments
• Using a not hardened OS!
38. What is it?
• Presentation layer access control
• Related to A4 – Insecure Direct Object
References
39. Worst Practice
• Using home-grown security features instead
of container provided ones
• Assuming people wont know some URLs to try
them
• Assuming no one would miss use the extra
permission and access they have
40. Java EE 6
• What you do to prevent A4 plus:
– Use Container security (security-constraint)
– Use programatic login of Java EE 6 if needed.
– Properly configure security realms
– Accurately map roles to principal/groups (auth-
constraint / security-role-mapping)
– Only allow supported/required HTTP methods
– Accurately Categorize the URL patterns and permit
the relevant roles for each
41. Best Practices
• Any no public URL should be protected
• Use container authentication/authorization
features or extend on top of them
• If not enough use proven frameworks/
products to protect the resources
• If user can get /getpic?id=1x118uf it does not
mean you should show /getpic?id=1x22ug
43. What is it?
• Sensitive data exposed to wrong persons
• Could be:
– Passwords
– Financial/Health care data
– Credit cards
44. GlassFish
• Protect the keystore
• Protect sensitive data
– Use salted hashing or double hashing for
authentication realms (Custom realm
development)
– Evaluate logging output
• Protect GlassFish accounts
– Use aliasing to protect the password and keep the
master password safe to protect the aliases
45. Worst Practices
• Storing passwords in clear text without
aliasing or the proper store
• Using file authentication realm
• Ignoring digest authentication/hashed
password storage
• Keeping clear text copies of encrypted data
• Not keeping the keys/passwords well guarded
46. Prevention
• Identify sensitive data
• Wisely encrypt sensitive data
– On every level (application, appserver, db)
– with the right algorithm and
– with the right mechanism
• Don’t keep clear text copies
• Only authorized personnel have access to clear text
data
• Keep the keys as protected as possible (HSM)
• Keep offsite encrypted backups in addition to on-site
copies
49. Worst Practice
• Using basic/form authentication without SSL
• Not using HTTPS for pages with private
information
• Using default self signed certificate
• Storing unencrypted cookies
• Not setting cookies to be transmitted
Cookie.setSecure(true)
• Forgetting about the rest of the infrastructure
50. GlassFish
• Properly configure HTTPS listener/s (set the
right keystore)
• Install the right server certificates to be used
by SSL listeners
• Properly configure the ORB over SSL listeners
if needed (set the right keystore)
• Enable auditing under Security and and access
log under HTTP Service
51. Java EE
• Group the resources in regard to transport
sensitivity using web-resource-collection
• Use user-data-constraint as widely as you
need for data integrity and encryption needs
• Ensure that login/logout pages (in case of
form auth-type) are protected by <transport-
guarantee>CONFIDENTIAL</transport-
guarantee>
52. Best Practice
• Use TLS on all connections with sensitive data
• Individually encrypt messages
• Sign messages before transmission
• Use standard strong algorithms
• Use proven mechanisms when sufficient
54. What is it?
• Redirecting to another URL computed by user
provided parameters
• Forward to another URL computed by user
provided parameters
http://www.java.net/external?url=http://www.adam-
bien.com/roller/abien/entry/conveniently_transactionally_a
nd_legally_starting
55. Java EE 6
• Don’t use redirect or forward as much as possible
• Accurately verify/validate the target URL before
forwarding or redirecting
• Redirects are safe when using container managed
authentication/authorization properly
• Redirects happen without authentication and
thus requires triple check to prevent
unauthorized access.
56. Worst Practices
• Not using a proper access control mechanism
(e.g container managed and proper security-
constraint )
• Redirecting to a user provided parameter, e.g
to an external website
• Not to validate/verify the target with user’s
access level before doing the forward