This document summarizes an agenda for a presentation on web application security testing. The presentation covers basic principles of security vulnerabilities, server-side vulnerabilities like injection flaws and session management issues, client-side vulnerabilities like cross-site scripting and request forgery, and APIs. It provides an overview of common attack types like SQL injection and stored XSS, as well as how to protect against them and perform security testing of web applications.
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
This is the presentation from the online session of how to protect your Uniface applications from security threats. Covering security threats faced by web developers and what security features developers should consider.
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Serverless - minimizing the attack surfaceAvi Shulman
Slides from my talk at ServerlessConf NYC 2017.
The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
Automating security tests for Continuous IntegrationStephen de Vries
Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.
Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests
This is the presentation from the online session of how to protect your Uniface applications from security threats. Covering security threats faced by web developers and what security features developers should consider.
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
Serverless architectures enable organizations to build and deploy software and services without having to maintain or provision any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow. From a software development perspective, organisations adopting serverless can focus on core product functionality, and completely disregard the underlying operating system, application server or software runtime environment. In essence, when you develop applications using serverless, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers – these tasks are now the responsibility of the serverless architecture provider.
However, the comfort and elegance of serverless architectures is not without its drawbacks – serverless architectures introduce a new set of security concerns that must be taken into consideration when coming to secure such applications. In this talk, we will present an overview of serverless architectures, the challenge of securing serverless applications, and an overview of the top 10 most common security concerns that developers, DevSecOps and architects should consider when designing and developing such applications. We will also demonstrate a unique CI/CD tool for hardening serverless projects during deployment time.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security controls are incorporated in development cycle and used by developers while writing their code. How can developers deliver more secure applications? What are the security techniques they can use while writing the software?
This presentation will discuss the proactive controls that will guide developers down the path of secure software. It will explore the security techniques that can be incorporated in development cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.
Recommended to all builders and security professionals interested in incorporating security techniques as part of software development life cycle in the effort to build more secure applications.
URL: http://sched.co/A652
Serverless - minimizing the attack surfaceAvi Shulman
Slides from my talk at ServerlessConf NYC 2017.
The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
Presentation "Know Your Security Model" on dotnetconf.ru conference. In this briefing, I tell about security architecture in .NET Framework 4.0 and later, using AppDomains and Code Access Security (CAS) in various applications and development of their own sandbox. I demonstrated the sample of Trusted Chain attack to bypass CAS restrictions.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch.
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
Web APIs offer organizations new channels to reach customers and extend their businesses, but they also offer new opportunities for abuse. In this presentation we identify the identities, attack surfaces and threats (both new and old) that security professionals need to be aware of in the new world of Web APIs.
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch.
In this workshop, we’ll interactively demonstrate lightweight threat modeling techniques to elicit and qualify risks against a typical CDN-fronted web application. We’ll then perform attacks against an example web application and demonstrate how the Fastly edge cloud can mitigate security risks.
How to Harden the Security of Your .NET WebsiteDNN
What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits.
In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites.
Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.
Presentation "Know Your Security Model" on dotnetconf.ru conference. In this briefing, I tell about security architecture in .NET Framework 4.0 and later, using AppDomains and Code Access Security (CAS) in various applications and development of their own sandbox. I demonstrated the sample of Trusted Chain attack to bypass CAS restrictions.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch.
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
Web APIs offer organizations new channels to reach customers and extend their businesses, but they also offer new opportunities for abuse. In this presentation we identify the identities, attack surfaces and threats (both new and old) that security professionals need to be aware of in the new world of Web APIs.
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch.
In this workshop, we’ll interactively demonstrate lightweight threat modeling techniques to elicit and qualify risks against a typical CDN-fronted web application. We’ll then perform attacks against an example web application and demonstrate how the Fastly edge cloud can mitigate security risks.
How to Harden the Security of Your .NET WebsiteDNN
What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits.
In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites.
Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.
This presentation showcases the "best of the best" practices for operating securely at scale on AWS, taken from real customer examples, incorporating practical examples found in the Center for Internet Security’s CIS AWS Foundation and CIS AWS Three-Tier Web Architecture benchmarks. Come learn how to "Just Turn It On!"
Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications.
However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle.
This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Web Server Technologies II: Web Applications & Server MaintenancePort80 Software
Supporting Web applications: server-side programming and Web application frameworks. Web server maintenance: Web Analytics (Logs and Log Analysis), Dealing with bots and spiders, Server and site monitoring, Tuning and acceleration, Programmatic administration.
Similar to "WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks (20)
Debugging Microservices - key challenges and techniques - Microservices Odesa...Lohika_Odessa_TechTalks
Microservice architecture is widespread our days. It comes with a lot of benefits and challenges to solve. Main goal of this talk is to go through troubleshooting and debugging in the distributed micro-service world. Topic would cover:
main aspects of the logging,
monitoring,
distributed tracing,
debugging services on the cluster.
About speaker:
Andrеy Kolodnitskiy is Staff engineer in the Lohika and his primary focus is around distributed systems, microservices and JVM based languages.
Majority of time engineers spend debugging and fixing the issues. This talk will be dedicated to best practicies and tools Andrеys team uses on its project which do help to find issues more efficiently.
Wide adoption of Microservice Architecture presents a whole new set of challenges for us as developers. Some of them are well-known and understood. About others we do not think until they strike us out of the blue and we spend a lot of sleepless nights trying to figure them out. And communication between services in distributed system is one of the latter.
During this Microservice Architecture Odesa #TechTalk we will talk about how to prevent your microservices from becoming a modern-world Tower of Babel. We will discuss how to select appropriate communication mechanisms for most common cases in a distributed system, how should we define API contracts for each of them and what tools are available for us to keep them consistent and evolve them over time.
We will touch following topics:
REST vs RPC vs Messaging and how not to get lost with your options.
Contract First development and how it can save time in multi-team environment.
SwaggerHub as a single Point of truth for REST API
Best practices for gRPC contracts and how to deal with changes in them.
About speaker:
Andrii Barsukov is Senior .NET developer at Lohika, with 5+ years of commercial experience in development of microservice applications. Currently participating in development of microservice-based financial system, which includes 20+ microservices developed by 10 separate development teams. And some of the challenges that we faced during its development I'd like to share.
На JavaScript Odesa #TechTalks мы поговорили о микрофронтендах как о современном архитектурном стиле проектирования для фронтенд разработки, который облегчает поддержку и деплой обновлений для крупных проектов.
Также мы обсудили:
Что такое микрофронтенды?
Как использовать их с старым проектом?
Монорепа vs мультирепа и почему?
О спикере:
Максим Белкин, Senior Software Engineer с 10-летним опытом коммерческой разработки веб-приложений. У Максима большой опыт в создании одностраничных приложений с использованием современных фреймворков и инструментов, а также большой опыт в области серверной разработки и создания REST API. Он также обладает глубокими знаниями в области объектно-ориентированной разработки, алгоритмов, кодирования и шаблонов тестирования и имеет опыт в гибкой разработке программного обеспечения, включая роли SCRUM Master и Team Lead.
There are a lot of things in multi-threading world, which we, as engineers, have to consider while developing applications. During Golang Odesa #TechTalks we will talk about three main problems – data races, race conditions, and deadlocks. Also, we will discuss how to avoid fantom bugs and do not shoot yourself in the foot while developing Golang applications
About speaker:
Oleksandr Karlov is Golang Team Lead at Lohika. Currently, Oleksandr is working on SLO project, which helps engineers to control reliability of their services. Before that he worked on CDN and statistics platform.
Druid is one useful and popular tool in the Big Data world. It is this OLAP system that allows you to efficiently process, store and query data. Which confirms the demand for Druid among tools in the Big Data processing environment.
With Vladimir Iordanov we will talk about how Druid works, what it consists of and what its capabilities are. Vladimir will introduce us to the Druid components, talk about the cluster architecture, how data processing is going on.
Jenkins до сих пор один из лидеров CI/CD продуктов. Поэтому стоит понимать, что он может и как этим правильно пользоваться. К тому же, этот проект всё ещё обновляется и нам желательно следить за новыми возможностями, которые он нам даёт.
В этот раз мы поговорим:
– о Jenkins pipelines and shared libraries
– какими они бывают, как и когда их надо использовать,.
– отличиях scripted и declarative вариантов.
– когда необходимо использовать shared library
– как легко настроить и начать пользоваться Jenkins в Kubernetes с использованием Jenkins configuration as code.
Доклад будет актуален для: DevOps engineers, Configuration managers, Developers who are tired of their jobs and they decided to make some Jenkins)
О спикере: Дмитрий Кулешов – DevOps Engineer с 10-летним опытом работы в области информационных технологий.
Я поделюсь с вами опытом разработки конвейерных скриптов Jenkins для организации процессов непрерывной интеграции и развертывания микросервисов. Акцент будет сделан на применении средств Jenkins для разделяемых библиотек. Я продемонстрирую подходы к созданию модульных, тестируемых и повторно используемых компонентов для сборки и развертывания. Доклад будет полезен каждому, кто так или иначе связан с автоматизацией непрерывной интеграции и развертывания ПО, будь то разработчик или же DevOps
Prometheus: infrastructure and application monitoring in kubernetes clusterLohika_Odessa_TechTalks
Доклад будет интересен тем, кто хочет воспользоваться одним из самых популярных инструментов для мониторинга с минимальными затратами времени и усилий, и без предыдущего опыта внедрения систем мониторинга . Мы рассмотрим конкретный случай внедрения на проекте "с нуля", расширение базового функционала и обсудим возможные "подводные камни" дальнейшей поддержки
Тема доклада «React и его архитектурная периферия»
React - мощнейшая библиотека для создания технических интерфейсов, но порой одного реакта не достаточно для полноценной и гибкой разработки. Мы будем обсуждать и сравнивать разные подходы для разработки современных React приложений.
В программе: React&Redux, React&Meteor, React&Relay, React&MobX, React&PRPL
Congratulations, you have been promoted to a manager role. You`ve got new pro...Lohika_Odessa_TechTalks
“In my presentation I’ll try to list the first steps that you should make on a new project in your new role. Also we will review different types of projects and challenges that you may have. I hope that my experience and suggestions, I’m about to share, will help you dive into management role quickly and painlessly. “
This presentation will be useful for everyone who wants to be a manager, to grow in this direction and who is absolutely sure that one day he or she will be promoted. It might be useful for everyone who has been promoted recently and still feels that he/she doesn’t have enough experience with different projects.
"Don't touch me and give me my money" or how motivate people who can but don...Lohika_Odessa_TechTalks
“The core of every successful project is motivated and professional team, but what can be done when the comfort zone has been reached and nothing makes your team work with the same enthusiasm? In this session, we would like to discuss with you the cause of the syndrome "weary professional“ , why it is bad and which non-standard approaches can be used for solving this problem.
Presentation will be particularly useful for those who are somehow connected with the management staff or aspire to be Team Leaders.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
9. Basic principles of security
discredit
HTTP
WEB Server +
Logics Server
WEB Server +
Logics Server
DBMSDBMS OSOS
SQL • commands
• files
BrowserBrowser
(X)HTTP(S)
28. Client side vulnerability
A3 - XSS
XSS - execute malicious Java Script code
inside authorized user session, who has
higher privileges than attacker
29. Client side vulnerability
A3 - XSS
WEB Server
+ Logics
Server
WEB Server
+ Logics
Server
DBMSDBMS OSOS
SQL • commands
• files
(X)HTTP(S)
BrowserBrowser
WEB Server +
Logics Server
WEB Server +
Logics Server
DBMSDBMS OSOS
SQL • commands
• files
BrowserBrowser
(X)HTTP(S)
User
data
Stored Reflected
37. SOAP API & JSON API
SOAP UI
• SoapUI is a free and open source cross-platform Functional Testing solution
• http://www.soapui.org/about-soapui/what-is-soapui-.html
Иными словами:
Нарушение функциональности:
НЕвозможность получения санкционированного доступа к функциям и данным системы
Нарушение защищенности:
возможность получения НЕсанкционированного доступа к данным и функциям
1) Fuzzing-proxy, f.e. Fiddler (intercepting proxy). Fuzzing - перебор всех возможных векторов атаки
Manual security code review (debugger)
2) White box-code scanners (HP Fortify)
3) Комбинейшн-ввод вредоносных данных извне (i,.e. блек бокс)+отслеживание обработки приложением этих данных (вайт бокс)
4) Black box-fuzzers (HP Web inspect)
XHTTP-Extended HTTP – все запросы и ответы отправляются исключительно в headers. Остальные данные передаются через XML. Все функции HTTP типа TLS, аутентификации и др. oстаются неизменными
Методы защиты-одни из многих. Простые для проверки. Говорим о них так как время ограничено, соответственно рассматриваем только какие-то конкретные
ПОСТ в ГЕТ-уязвимость работает только для простых параметров, не работает для XML JSON и любой другой формы данных
Происходит в силу SOAP/REST-работают с XML JSON а не просто с HTML
Валидаторы должны быть на обеих сторонах-клиента и сервера. Например, может показывать клиенту что что-то делать нельзя, но по факту это делать можно.
Если обошли ограничения на клиенте, сервер не должен пропускать этот обход. (отправили с клиента вредоносное, но сервер ее все равно не принял)
Clear request Headers – Slow POST - http://habrahabr.ru/post/116056/
Код иньекция– компилируемые языки . По сути ломает машину , которая хостит веб-серер(ис)
Xpath-говорит иксемелю откуда брать данные. Контролируя икспас можно указывать серверу какие данные выбирать, например для сравнения.
Special symbols-Можно создать White list-список только разрешенных символов, которые можно использовать.
Validators + Parametrized query=defense in depth-несколько уровней защиты
Parametrized query example:
$request = sql_prepare('insert into table(name) values(:1)');
sql_execute($request, Array('Вася')); Так мы отдельно задаем запрос, вместо данных подставляя в него номера связываемых переменных (:1, :2,...)
К удобству пользования фиддлером-можно посмотреть время отклика страницы до тысячной секунды.
Code injection-слишком круто для создания просто файлика на машине которая хостит веб-серис. Так как код иньекция тотально деструктивна в целом.
Пример-доступ к важному файлу осуществляется по ссылке.допустим видит ее только админ, но если ее получит не админ, он так же само может пройти по ней
crossdomain.xml-A cross-domain policy file is an XML document that grants a web client permission to handle data across domains
clientaccesspolicy.xml-то же самое
А10-доверительбный сайт-внутри ссылки редирект на левый сайт-кража логин\пароль-редирект на доверительный сайт. Юзер ниче не заметил, креды украли.
Запрещать редиректы на сторонние сайты
На клиента существует множество атак, но мы рассматриваем ОВАСП топ 10, где на КС всего несколько атак
Special symbols-html encoding кодировка всех символов, с помощью которых можно сделать теги.
Можно создать white list-список только разрешенных тегов, которые можно использовать.
Хтмл инсайд-во все формы, которые рефлектяться пользователю.все что контролируется пользователем и выводится на страничке.
Юзер проходит по ссылке, содержащей невалидный редирект, попадает на вредоносный сайт с тем же интерфейсом и вводит личные данные. Затем редиректиться обратно на доверительный сайт.пользователь ничего не заметил, данные украдены
SOAP — Simple Object Access Protocol
REST-Representational State Transfer
SOAP-может использовать другие протоколы, например SMTP. На практике это реализуется достаточно сложно
http://habrahabr.ru/post/75248/ - SOAP vs REST
OWASP SS vulnerabilities
Programming language helps to automate routine tasks
