SlideShare a Scribd company logo

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Download as PPTX, PDF
A
Andi Rustandi Djunaedi

related webminar : https://www.youtube.com/watch?v=p1WbHLsqTnI related code: https://github.com/bliblidotcom/sample-basic-secure-coding

1 of 12
Secure Coding the bare minimum – understand the problem
Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping

Recommended

Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23
BIWUG
 
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
Sencha
 
Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Getting Started with ASP.NET 5
Getting Started with ASP.NET 5
Brij Mishra
 
Building rest services using aspnetwebapi
Building rest services using aspnetwebapiBuilding rest services using aspnetwebapi
Building rest services using aspnetwebapi
Brij Mishra
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster
Brij Mishra
 
Writing power shell the right tool for the job
Writing power shell the right tool for the jobWriting power shell the right tool for the job
Writing power shell the right tool for the job
Jaap Brasser
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 

Recommended

Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23
BIWUG
 
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
Sencha
 
Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Getting Started with ASP.NET 5
Getting Started with ASP.NET 5
Brij Mishra
 
Building rest services using aspnetwebapi
Building rest services using aspnetwebapiBuilding rest services using aspnetwebapi
Building rest services using aspnetwebapi
Brij Mishra
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster
Brij Mishra
 
Writing power shell the right tool for the job
Writing power shell the right tool for the jobWriting power shell the right tool for the job
Writing power shell the right tool for the job
Jaap Brasser
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automation
Jaap Brasser
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShell
Jaap Brasser
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShell
Jaap Brasser
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA Configuration
Jaap Brasser
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShell
Jaap Brasser
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShell
Jaap Brasser
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
Ben McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environment
Jaap Brasser
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend tooling
pksjce
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Planidoo & Zotonic
Planidoo & ZotonicPlanidoo & Zotonic
Planidoo & Zotonic
David de Boer
 
Design for scale
Design for scaleDesign for scale
Design for scale
Doug Lampe
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the gui
Jaap Brasser
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
Michael Galpin
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with Fiddler
Ido Flatow
 

More Related Content

What's hot

CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development
LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automation
Jaap Brasser
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShell
Jaap Brasser
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShell
Jaap Brasser
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
Valeri Karpov
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
Jaap Brasser
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA Configuration
Jaap Brasser
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShell
Jaap Brasser
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShell
Jaap Brasser
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
Ben McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
DIWUG
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environment
Jaap Brasser
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend tooling
pksjce
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Planidoo & Zotonic
Planidoo & ZotonicPlanidoo & Zotonic
Planidoo & Zotonic
David de Boer
 
Design for scale
Design for scaleDesign for scale
Design for scale
Doug Lampe
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows Azure
Gunnar Peipman
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the gui
Jaap Brasser
 

What's hot (20)

CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automation
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShell
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShell
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA Configuration
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShell
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShell
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environment
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend tooling
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
Planidoo & Zotonic
Planidoo & ZotonicPlanidoo & Zotonic
Planidoo & Zotonic
 
Design for scale
Design for scaleDesign for scale
Design for scale
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows Azure
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the gui
 

Similar to Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
Michael Galpin
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with Fiddler
Ido Flatow
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)
Hong Tat Yew
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the Apple
zeroSteiner
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
Sharon James
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
Nathan Van Gheem
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsMark Atwood
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
Silota Inc.
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
Jason Gerard
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Creating a Documentation Portal
Creating a Documentation PortalCreating a Documentation Portal
Creating a Documentation Portal
Steve Anderson
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
David M. Johnson
 
MEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopMEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopValeri Karpov
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
ForgeRock
 
Extending WordPress as a pro
Extending WordPress as a proExtending WordPress as a pro
Extending WordPress as a pro
Marko Heijnen
 
Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015
Kim Frehe
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
Marko Heijnen
 

Similar to Tech IT Easy x DevTalk : "Secure Your Coding with OWASP" (20)

Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with Fiddler
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the Apple
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red Hats
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Creating a Documentation Portal
Creating a Documentation PortalCreating a Documentation Portal
Creating a Documentation Portal
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
 
MEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopMEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona Workshop
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
 
Extending WordPress as a pro
Extending WordPress as a proExtending WordPress as a pro
Extending WordPress as a pro
 
Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

  • 1. Secure Coding the bare minimum – understand the problem
  • 2. Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
  • 3. Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
  • 4. Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
  • 5. Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
  • 6. Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
  • 7. Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
  • 8. Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
  • 9. Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
  • 10. Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
  • 11. Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
  • 12. What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping