SlideShare a Scribd company logo

Top 10 security risks for mobile backend developers

Download as PPTX, PDF
Jiri Danihelka
Jiri Danihelka

Top 10 security risks for mobile backend developers

Technology
1 of 13
Top 10 Security Risks for Mobile Backend Developers 22.8.2016 Jiří Danihelka
1. SQL Injection Recommendations:  Always use a database library that is immune to SQL injections (e.g. Entity Framework).  Do not create SQL command by string concatenations. Do not rely just on character encoding. 2
2. Cross Site Scripting and JavaScript Injection Recommendations:  Always HTML-encode user strings before putting them to the web page. ASP.Net does this automatically unless you use @Html.Raw(...); function or a similar one.  Treat page parameters (e.g. GET parameters, cookies, ...) as a user input.  Do not allow '<' and '>' in user inputs. (Administrators that create content may be an exception.)  Users should not write HTML markup - use a different markup for them e.g. BB Code. (Administrators that create content may be an exception.) 3
3. Broken Authentication and Session Management Recommendations:  Do not put session authentication token into URL, put it into cookies.  Users with disabled cookies should not have access to sites that need authentication. 4  Passwords or session tokens are stored in insecure places like:  URL parameters  Application logs  Sharing URL on social networks  Log: Error function ‘LoginUser’ failed – the arguments were Login=‘John’, Password=‘helllo’
4. Insecure Direct Object References Recommendations:  Always check the permission user when executing requests. Just hiding the unavailable options is not secure enough.  Optionally use ids of your objects that are hard to guess and iterate - e.g. GUID values. 5
5. Cross Site Request Forgery Recommendations:  Either use ASP.Net anti-forgery tokens for forms ...  ... or check the request origin against a whitelist of legitimate domains. 6
6. Security Misconfiguration Recommendations:  This topic is very broad and it is hard to give a general recommendation.  Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout). 7  Change default passwords  Do not store production credentials in the repository  Use different credentials in Dev and Live envoroments
7. Insecure Cryptographic Storage Recommendations:  Store passwords in an encrypted form (not in plaintext).  Use one-way encryption of passwords using hashing.  Use policies for password length and complexity to mitigate brute-force attacks.  Use hashing with a random seed to avoid rainbow table attacks. 8  Storage of:  Passwords  Credit card numbers  Bank account details  Any sensitive data  Additional level of protection when the database leaks
8. Failure to Restrict URL Access Recommendations:  Always check user permission when accessing a restricted page.  Do not just hide links to the pages, the user can manually type the path. 9
9. Insufficient Transport Layer Protection Recommendations:  Always use HTTPS for login pages.  Do not combine secure and insecure content on a single page (e.g. using Iframes). 10
10. Unvalidated Redirects and Forwards Recommendations:  When you embed a 3rd party object to your page (e.g. YouTube video) based on a URL parameter check it first against a whitelist.  Also use a similar whitelist when your page redirects or forwards to a 3rd party page based on a URL parameter. 11
Security Checklist
Security Recommendations Checklist 13

Recommended

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentials[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentialskutuer324r34
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
Flash Security
Flash SecurityFlash Security
Flash SecurityFerruh Mavituna
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 

Recommended

Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Manage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceManage Artifact Versioning, Security and Compliance
Manage Artifact Versioning, Security and ComplianceEng Teong Cheah
 
Identity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionIdentity Security - Azure Identity Protection
Identity Security - Azure Identity ProtectionEng Teong Cheah
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentials[PDF] CISSP Guide to Security Essentials
[PDF] CISSP Guide to Security Essentialskutuer324r34
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
Flash Security
Flash SecurityFlash Security
Flash SecurityFerruh Mavituna
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Security it trans
Security it transSecurity it trans
Security it transPrasad Shevate
 
Android App Security
Android App SecurityAndroid App Security
Android App SecurityThe Software House
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionQuick Heal Technologies Ltd.
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCoreThe eCore Group
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
западная европа
западная европазападная европа
западная европаValentina150855
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_ResumeNag Raj
 

More Related Content

What's hot

OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughnFront Security
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall introRich Helton
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCoreThe eCore Group
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 

What's hot (20)

OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Security it trans
Security it transSecurity it trans
Security it trans
 
Android App Security
Android App SecurityAndroid App Security
Android App Security
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway Protection
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Windows 8 security eCore
Windows 8 security eCoreWindows 8 security eCore
Windows 8 security eCore
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 

Viewers also liked

западная европа
западная европазападная европа
западная европаValentina150855
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_ResumeNag Raj
 
Marie curie
Marie curieMarie curie
Marie curieAnnasjo
 
GuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHGuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHRaquel Pollo Gonzalez
 
Docker.key
Docker.keyDocker.key
Docker.keyjwausle
 
Hình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtHình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtThi công sơn giá rẻ
 
EndorsementsPhoto
EndorsementsPhotoEndorsementsPhoto
EndorsementsPhotoIan Hughes
 
sistema circulatorio
sistema circulatoriosistema circulatorio
sistema circulatorioPaula Prieto
 
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóThi công sơn giá rẻ
 
Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia mutualia
 
Step by step blueprint for adult website business
Step by step blueprint for adult website businessStep by step blueprint for adult website business
Step by step blueprint for adult website businessSteve Smith
 

Viewers also liked (18)

западная европа
западная европазападная европа
западная европа
 
Nagraj_Resume
Nagraj_ResumeNagraj_Resume
Nagraj_Resume
 
Marie curie
Marie curieMarie curie
Marie curie
 
Materi 1
Materi 1Materi 1
Materi 1
 
GuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISHGuidePédagogique-logicielMultimedia_ENGLISH
GuidePédagogique-logicielMultimedia_ENGLISH
 
Docker.key
Docker.keyDocker.key
Docker.key
 
My Summer Holidays
My Summer HolidaysMy Summer Holidays
My Summer Holidays
 
Imthiyaz A M - CV
Imthiyaz A M - CVImthiyaz A M - CV
Imthiyaz A M - CV
 
RTF344M_S08_SYLLABUS
RTF344M_S08_SYLLABUSRTF344M_S08_SYLLABUS
RTF344M_S08_SYLLABUS
 
Hình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắtHình vẽ đơn giản giúp nhà trở nên vui mắt
Hình vẽ đơn giản giúp nhà trở nên vui mắt
 
EndorsementsPhoto
EndorsementsPhotoEndorsementsPhoto
EndorsementsPhoto
 
sistema circulatorio
sistema circulatoriosistema circulatorio
sistema circulatorio
 
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
 
Project english pdf
Project english pdfProject english pdf
Project english pdf
 
CV_RHansen_2016_v2
CV_RHansen_2016_v2CV_RHansen_2016_v2
CV_RHansen_2016_v2
 
Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia Lorena Fernandez presentación proyecto ley Mutualia
Lorena Fernandez presentación proyecto ley Mutualia
 
Úvod do XAML
Úvod do XAMLÚvod do XAML
Úvod do XAML
 
Step by step blueprint for adult website business
Step by step blueprint for adult website businessStep by step blueprint for adult website business
Step by step blueprint for adult website business
 

Similar to Top 10 security risks for mobile backend developers

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Pentesting for startups
Pentesting for startupsPentesting for startups
Pentesting for startupslevigross
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusionisummation
 

Similar to Top 10 security risks for mobile backend developers (20)

Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Pentesting for startups
Pentesting for startupsPentesting for startups
Pentesting for startups
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Security with ColdFusion
Security with ColdFusionSecurity with ColdFusion
Security with ColdFusion
 

More from Jiri Danihelka

Distributed Mobile Graphics
Distributed Mobile GraphicsDistributed Mobile Graphics
Distributed Mobile GraphicsJiri Danihelka
 
Mixed reality for Windows 10
Mixed reality for Windows 10Mixed reality for Windows 10
Mixed reality for Windows 10Jiri Danihelka
 
New Xaml components for Windows developers
New Xaml components for Windows developersNew Xaml components for Windows developers
New Xaml components for Windows developersJiri Danihelka
 
MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10Jiri Danihelka
 
An introduction to development of universal applications
An introduction to development of universal applicationsAn introduction to development of universal applications
An introduction to development of universal applicationsJiri Danihelka
 
Windows game development with Unity 5
Windows game development with Unity 5Windows game development with Unity 5
Windows game development with Unity 5Jiri Danihelka
 
Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Jiri Danihelka
 
Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Jiri Danihelka
 
Prism library and MVVM
Prism library and MVVMPrism library and MVVM
Prism library and MVVMJiri Danihelka
 
UWP apps development - Part 3
UWP apps development - Part 3UWP apps development - Part 3
UWP apps development - Part 3Jiri Danihelka
 
UWP apps development - Part 2
UWP apps development - Part 2UWP apps development - Part 2
UWP apps development - Part 2Jiri Danihelka
 
UWP apps development - Part 1
UWP apps development - Part 1UWP apps development - Part 1
UWP apps development - Part 1Jiri Danihelka
 
Designing Windows apps with Xaml
Designing Windows apps with XamlDesigning Windows apps with Xaml
Designing Windows apps with XamlJiri Danihelka
 
Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Jiri Danihelka
 
Blend for Visual Studio 2015
Blend for Visual Studio 2015Blend for Visual Studio 2015
Blend for Visual Studio 2015Jiri Danihelka
 
Windows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsWindows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsJiri Danihelka
 
Programování Windows 8
Programování Windows 8Programování Windows 8
Programování Windows 8Jiri Danihelka
 
Vývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensVývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensJiri Danihelka
 
Interaktivní 3D služby v cloudu
Interaktivní 3D služby v clouduInteraktivní 3D služby v cloudu
Interaktivní 3D služby v clouduJiri Danihelka
 

More from Jiri Danihelka (20)

Distributed Mobile Graphics
Distributed Mobile GraphicsDistributed Mobile Graphics
Distributed Mobile Graphics
 
Mixed reality for Windows 10
Mixed reality for Windows 10Mixed reality for Windows 10
Mixed reality for Windows 10
 
New Xaml components for Windows developers
New Xaml components for Windows developersNew Xaml components for Windows developers
New Xaml components for Windows developers
 
MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10MVVM Windows UWP apps with Template 10
MVVM Windows UWP apps with Template 10
 
An introduction to development of universal applications
An introduction to development of universal applicationsAn introduction to development of universal applications
An introduction to development of universal applications
 
Windows game development with Unity 5
Windows game development with Unity 5Windows game development with Unity 5
Windows game development with Unity 5
 
Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2Creating great Unity games for Windows 10 - Part 2
Creating great Unity games for Windows 10 - Part 2
 
Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1Creating great Unity games for Windows 10 - Part 1
Creating great Unity games for Windows 10 - Part 1
 
Prism library and MVVM
Prism library and MVVMPrism library and MVVM
Prism library and MVVM
 
UWP apps development - Part 3
UWP apps development - Part 3UWP apps development - Part 3
UWP apps development - Part 3
 
UWP apps development - Part 2
UWP apps development - Part 2UWP apps development - Part 2
UWP apps development - Part 2
 
UWP apps development - Part 1
UWP apps development - Part 1UWP apps development - Part 1
UWP apps development - Part 1
 
Designing Windows apps with Xaml
Designing Windows apps with XamlDesigning Windows apps with Xaml
Designing Windows apps with Xaml
 
Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10Advanced MVVM Windows UWP apps with Template 10
Advanced MVVM Windows UWP apps with Template 10
 
Windows UX
Windows UXWindows UX
Windows UX
 
Blend for Visual Studio 2015
Blend for Visual Studio 2015Blend for Visual Studio 2015
Blend for Visual Studio 2015
 
Windows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed GraphicsWindows 10 Mobile and Distributed Graphics
Windows 10 Mobile and Distributed Graphics
 
Programování Windows 8
Programování Windows 8Programování Windows 8
Programování Windows 8
 
Vývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLensVývoj pro Microsoft Surface a HoloLens
Vývoj pro Microsoft Surface a HoloLens
 
Interaktivní 3D služby v cloudu
Interaktivní 3D služby v clouduInteraktivní 3D služby v cloudu
Interaktivní 3D služby v cloudu
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Top 10 security risks for mobile backend developers

  • 1. Top 10 Security Risks for Mobile Backend Developers 22.8.2016 Jiří Danihelka
  • 2. 1. SQL Injection Recommendations:  Always use a database library that is immune to SQL injections (e.g. Entity Framework).  Do not create SQL command by string concatenations. Do not rely just on character encoding. 2
  • 3. 2. Cross Site Scripting and JavaScript Injection Recommendations:  Always HTML-encode user strings before putting them to the web page. ASP.Net does this automatically unless you use @Html.Raw(...); function or a similar one.  Treat page parameters (e.g. GET parameters, cookies, ...) as a user input.  Do not allow '<' and '>' in user inputs. (Administrators that create content may be an exception.)  Users should not write HTML markup - use a different markup for them e.g. BB Code. (Administrators that create content may be an exception.) 3
  • 4. 3. Broken Authentication and Session Management Recommendations:  Do not put session authentication token into URL, put it into cookies.  Users with disabled cookies should not have access to sites that need authentication. 4  Passwords or session tokens are stored in insecure places like:  URL parameters  Application logs  Sharing URL on social networks  Log: Error function ‘LoginUser’ failed – the arguments were Login=‘John’, Password=‘helllo’
  • 5. 4. Insecure Direct Object References Recommendations:  Always check the permission user when executing requests. Just hiding the unavailable options is not secure enough.  Optionally use ids of your objects that are hard to guess and iterate - e.g. GUID values. 5
  • 6. 5. Cross Site Request Forgery Recommendations:  Either use ASP.Net anti-forgery tokens for forms ...  ... or check the request origin against a whitelist of legitimate domains. 6
  • 7. 6. Security Misconfiguration Recommendations:  This topic is very broad and it is hard to give a general recommendation.  Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout). 7  Change default passwords  Do not store production credentials in the repository  Use different credentials in Dev and Live envoroments
  • 8. 7. Insecure Cryptographic Storage Recommendations:  Store passwords in an encrypted form (not in plaintext).  Use one-way encryption of passwords using hashing.  Use policies for password length and complexity to mitigate brute-force attacks.  Use hashing with a random seed to avoid rainbow table attacks. 8  Storage of:  Passwords  Credit card numbers  Bank account details  Any sensitive data  Additional level of protection when the database leaks
  • 9. 8. Failure to Restrict URL Access Recommendations:  Always check user permission when accessing a restricted page.  Do not just hide links to the pages, the user can manually type the path. 9
  • 10. 9. Insufficient Transport Layer Protection Recommendations:  Always use HTTPS for login pages.  Do not combine secure and insecure content on a single page (e.g. using Iframes). 10
  • 11. 10. Unvalidated Redirects and Forwards Recommendations:  When you embed a 3rd party object to your page (e.g. YouTube video) based on a URL parameter check it first against a whitelist.  Also use a similar whitelist when your page redirects or forwards to a 3rd party page based on a URL parameter. 11