Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security - Central Ohio Day of .NET

Joe Kuemerle
December 08, 2012

Application Security - Central Ohio Day of .NET

Writing secure code is not difficult but it does require that you have a good understanding of what is insecure. In this session we will cover some of the top threats out there that can be used to break your applications. We will also cover techniques to improve the design of your application to minimize the vulnerabilities and mitigate those you cannot remove.

Joe Kuemerle

December 08, 2012
Tweet

More Decks by Joe Kuemerle

Other Decks in Programming

Transcript

  1. Application Security
    What you don't know can hurt you
    Joe Kuemerle
    www.kuemerle.com
    @jkuemerle

    View full-size slide

  2. Thanks to
    our
    AWESOME
    sponsors!

    View full-size slide

  3. @jkuemerle / www.kuemerle.com
    Joe Kuemerle
    • Developer at BookingBuilder Technologies
    • Over 15 years of development experience with a
    broad range of technologies
    • Focused on application and data security, coding
    best practices and regulatory compliance
    • Presenter at community, regional and national
    events.

    View full-size slide

  4. @jkuemerle / www.kuemerle.com
    How did Mr. Boddy
    get hacked?

    View full-size slide

  5. @jkuemerle / www.kuemerle.com
    Source:
    Web Hacking Incident Database
    http://tinyurl.com/AppAttackStats

    View full-size slide

  6. @jkuemerle / www.kuemerle.com

    View full-size slide

  7. @jkuemerle / www.kuemerle.com

    View full-size slide

  8. @jkuemerle / www.kuemerle.com
    https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
    http://wpl.codeplex.com

    View full-size slide

  9. @jkuemerle / www.kuemerle.com

    View full-size slide

  10. @jkuemerle / www.kuemerle.com

    View full-size slide

  11. @jkuemerle / www.kuemerle.com

    View full-size slide

  12. @jkuemerle / www.kuemerle.com

    View full-size slide

  13. @jkuemerle / www.kuemerle.com
    *

    View full-size slide

  14. @jkuemerle / www.kuemerle.com

    View full-size slide

  15. @jkuemerle / www.kuemerle.com
    Spoofing
    Tampering
    Repudiation
    Information Disclosure
    Denial of Service
    Elevation of Privilege

    View full-size slide

  16. @jkuemerle / www.kuemerle.com

    View full-size slide

  17. @jkuemerle / www.kuemerle.com

    View full-size slide

  18. @jkuemerle / www.kuemerle.com

    View full-size slide

  19. @jkuemerle / www.kuemerle.com
    Photo Credits
    • http://www.flickr.com/photos/pcoin/4629410478
    • http://www.flickr.com/photos/ekreitschmann/3296628124
    • http://www.flickr.com/photos/quinnanya/3333961881
    • http://www.flickr.com/photos/pcambra/3347911070
    • http://www.flickr.com/photos/superamit/2491512156
    • http://www.flickr.com/photos/terrio/5710831966
    • http://www.flickr.com/photos/cliffnordman/6131349171
    • http://www.flickr.com/photos/suckamc/4075609940
    • http://www.flickr.com/photos/alan-light/211186811
    • http://www.flickr.com/photos/marksteele/3766525250
    • http://www.flickr.com/photos/petithiboux/4062233946
    • http://www.flickr.com/photos/theevilmightyf/1496413769
    • http://www.flickr.com/photos/cookylamoo/5059188603
    • http://www.flickr.com/photos/phploveme/2911722148

    View full-size slide

  20. @jkuemerle / www.kuemerle.com
    References
    • http://www.troyhunt.com
    o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
    • http://www.owasp.org
    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch
    • http://www.microsoft.com/security/sdl/default.aspx
    • http://blogs.msdn.com/b/sdl
    • http://bsimm.com
    • http://www.amazon.com/Writing-Secure-Second-
    Michael-Howard/dp/0735617228
    • http://www.google.com/reader/bundle/user%2F11
    910239077358858577%2Fbundle%2FSecurity

    View full-size slide

  21. @jkuemerle / www.kuemerle.com
    Tools
    • http://wpl.codeplex.com
    • http://www.backtrack-linux.org
    • http://www.microsoft.com/download/en/details.as
    px?displaylang=en&id=14719 (Threat Model
    designer)
    • http://www.microsoft.com/download/en/details.as
    px?displaylang=en&id=21769 (File fuzzer)
    • WebGoat.NET
    o https://github.com/sempf/WebGoat.NET
    o https://github.com/jkuemerle/WebGoat.NET

    View full-size slide

  22. @jkuemerle / www.kuemerle.com
    http://speakerrate.com/jkuemerle

    View full-size slide