Application Security - CodepaLOUsa 2014

Transcript

1. Application Security What you don't know can hurt you Joe

   Kuemerle www.kuemerle.com @jkuemerle

2. @jkuemerle / www.kuemerle.com Joe Kuemerle • Over 15 years of

   development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.

3. @jkuemerle / www.kuemerle.com How did Mr. Boddy get hacked?

4. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

5. @jkuemerle / www.kuemerle.com

6. @jkuemerle / www.kuemerle.com

7. @jkuemerle / www.kuemerle.com

8. @jkuemerle / www.kuemerle.com

9. @jkuemerle / www.kuemerle.com

10. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet http://wpl.codeplex.com

11. @jkuemerle / www.kuemerle.com

12. @jkuemerle / www.kuemerle.com

13. @jkuemerle / www.kuemerle.com

14. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/kidicarus222/213956096

15. @jkuemerle / www.kuemerle.com

16. @jkuemerle / www.kuemerle.com

17. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/somegeekintn/3709203268

18. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/kmagoon/3793038515

19. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10_2013-Top_10 Broken Authentication and Session Management

    Cross Site Scripting (XSS) Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Components With Known Vulnerabilities Unvalidated Redirects And Forwards

20. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

21. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege

22. @jkuemerle / www.kuemerle.com

23. @jkuemerle / www.kuemerle.com

24. @jkuemerle / www.kuemerle.com

25. @jkuemerle / www.kuemerle.com Photo Credits • http://www.flickr.com/photos/pcoin/4629410478 • http://www.flickr.com/photos/ekreitschmann/3296628124 •

    http://www.flickr.com/photos/quinnanya/3333961881 • http://www.flickr.com/photos/pcambra/3347911070 • http://www.flickr.com/photos/superamit/2491512156 • http://www.flickr.com/photos/terrio/5710831966 • http://www.flickr.com/photos/cliffnordman/6131349171 • http://www.flickr.com/photos/suckamc/4075609940 • http://www.flickr.com/photos/alan-light/211186811 • http://www.flickr.com/photos/marksteele/3766525250 • http://www.flickr.com/photos/petithiboux/4062233946 • http://www.flickr.com/photos/theevilmightyf/1496413769 • http://www.flickr.com/photos/cookylamoo/5059188603 • http://www.flickr.com/photos/phploveme/2911722148

26. @jkuemerle / www.kuemerle.com References • http://www.troyhunt.com o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html • http://www.owasp.org

    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.google.com/reader/bundle/user%2F11 910239077358858577%2Fbundle%2FSecurity

27. @jkuemerle / www.kuemerle.com Tools • http://wpl.codeplex.com • http://www.backtrack-linux.org • http://www.microsoft.com/download/en/details.as

    px?displaylang=en&id=14719 (Threat Model designer) • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=21769 (File fuzzer) • WebGoat.NET o https://github.com/sempf/WebGoat.NET o https://github.com/jkuemerle/WebGoat.NET

28. @jkuemerle / www.kuemerle.com http://speakerrate.com/jkuemerle