Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security - Central Ohio Day of .NET

Fec6a312fc2dff26897c287bd941cdd8?s=47 Joe Kuemerle
December 08, 2012

Application Security - Central Ohio Day of .NET

Writing secure code is not difficult but it does require that you have a good understanding of what is insecure. In this session we will cover some of the top threats out there that can be used to break your applications. We will also cover techniques to improve the design of your application to minimize the vulnerabilities and mitigate those you cannot remove.

Fec6a312fc2dff26897c287bd941cdd8?s=128

Joe Kuemerle

December 08, 2012
Tweet

Transcript

  1. Application Security What you don't know can hurt you Joe

    Kuemerle www.kuemerle.com @jkuemerle
  2. Thanks to our AWESOME sponsors!

  3. @jkuemerle / www.kuemerle.com Joe Kuemerle • Developer at BookingBuilder Technologies

    • Over 15 years of development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  4. @jkuemerle / www.kuemerle.com How did Mr. Boddy get hacked?

  5. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

  6. @jkuemerle / www.kuemerle.com

  7. @jkuemerle / www.kuemerle.com

  8. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet http://wpl.codeplex.com

  9. @jkuemerle / www.kuemerle.com

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com

  12. @jkuemerle / www.kuemerle.com

  13. @jkuemerle / www.kuemerle.com *

  14. @jkuemerle / www.kuemerle.com

  15. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege
  16. @jkuemerle / www.kuemerle.com

  17. @jkuemerle / www.kuemerle.com

  18. @jkuemerle / www.kuemerle.com

  19. @jkuemerle / www.kuemerle.com Photo Credits • http://www.flickr.com/photos/pcoin/4629410478 • http://www.flickr.com/photos/ekreitschmann/3296628124 •

    http://www.flickr.com/photos/quinnanya/3333961881 • http://www.flickr.com/photos/pcambra/3347911070 • http://www.flickr.com/photos/superamit/2491512156 • http://www.flickr.com/photos/terrio/5710831966 • http://www.flickr.com/photos/cliffnordman/6131349171 • http://www.flickr.com/photos/suckamc/4075609940 • http://www.flickr.com/photos/alan-light/211186811 • http://www.flickr.com/photos/marksteele/3766525250 • http://www.flickr.com/photos/petithiboux/4062233946 • http://www.flickr.com/photos/theevilmightyf/1496413769 • http://www.flickr.com/photos/cookylamoo/5059188603 • http://www.flickr.com/photos/phploveme/2911722148
  20. @jkuemerle / www.kuemerle.com References • http://www.troyhunt.com o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html • http://www.owasp.org

    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.google.com/reader/bundle/user%2F11 910239077358858577%2Fbundle%2FSecurity
  21. @jkuemerle / www.kuemerle.com Tools • http://wpl.codeplex.com • http://www.backtrack-linux.org • http://www.microsoft.com/download/en/details.as

    px?displaylang=en&id=14719 (Threat Model designer) • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=21769 (File fuzzer) • WebGoat.NET o https://github.com/sempf/WebGoat.NET o https://github.com/jkuemerle/WebGoat.NET
  22. @jkuemerle / www.kuemerle.com http://speakerrate.com/jkuemerle