Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security: What you don't know can hurt you - PrairieDevCon 2015

Application Security: What you don't know can hurt you - PrairieDevCon 2015

Writing secure code is not difficult but it does require that you have a good understanding of what is insecure. In this session we will cover some of the top threats out there that can be used to break your applications. We will also cover techniques to improve the design of your application to minimize the vulnerabilities and mitigate those you cannot remove.

Fec6a312fc2dff26897c287bd941cdd8?s=128

Joe Kuemerle

March 03, 2015
Tweet

Transcript

  1. Application Security What you don't know can hurt you Joe

    Kuemerle www.kuemerle.com @jkuemerle
  2. @jkuemerle / www.kuemerle.com Joe Kuemerle • Over 15 years of

    development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  3. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

  4. @jkuemerle / www.kuemerle.com How did Mr. Boddy get hacked?

  5. @jkuemerle / www.kuemerle.com http://www.veracode.com/resources/state-of-software-security

  6. @jkuemerle / www.kuemerle.com

  7. @jkuemerle / www.kuemerle.com

  8. @jkuemerle / www.kuemerle.com db.myCollection.find( { $where: function() { return obj.credits

    - obj.debits < 0; } } ); db.myCollection.find( { active: true, $where: function() { return obj.credits - obj.debits < $userInput; } } );;
  9. @jkuemerle / www.kuemerle.com

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com

  12. @jkuemerle / www.kuemerle.com

  13. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet http://wpl.codeplex.com

  14. @jkuemerle / www.kuemerle.com

  15. @jkuemerle / www.kuemerle.com

  16. @jkuemerle / www.kuemerle.com http://www.itnews.com.au/News/398892,delta-site-flaw-lets-passengers-access-other-boarding-passes.aspx

  17. @jkuemerle / www.kuemerle.com

  18. @jkuemerle / www.kuemerle.com

  19. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/kidicarus222/213956096

  20. @jkuemerle / www.kuemerle.com

  21. @jkuemerle / www.kuemerle.com

  22. @jkuemerle / www.kuemerle.com

  23. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/somegeekintn/3709203268

  24. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/kmagoon/3793038515

  25. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10_2013-Top_10 Broken Authentication and Session Management

    Cross Site Scripting (XSS) Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery Components With Known Vulnerabilities Unvalidated Redirects And Forwards
  26. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

  27. @jkuemerle / www.kuemerle.com

  28. @jkuemerle / www.kuemerle.com https://github.com/skylot/jadx

  29. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege
  30. @jkuemerle / www.kuemerle.com

  31. @jkuemerle / www.kuemerle.com

  32. @jkuemerle / www.kuemerle.com

  33. @jkuemerle / www.kuemerle.com Photo Credits • http://www.flickr.com/photos/pcoin/4629410478 • http://www.flickr.com/photos/ekreitschmann/3296628124 •

    http://www.flickr.com/photos/quinnanya/3333961881 • http://www.flickr.com/photos/pcambra/3347911070 • http://www.flickr.com/photos/superamit/2491512156 • http://www.flickr.com/photos/terrio/5710831966 • http://www.flickr.com/photos/cliffnordman/6131349171 • http://www.flickr.com/photos/suckamc/4075609940 • http://www.flickr.com/photos/alan-light/211186811 • http://www.flickr.com/photos/marksteele/3766525250 • http://www.flickr.com/photos/petithiboux/4062233946 • http://www.flickr.com/photos/theevilmightyf/1496413769 • http://www.flickr.com/photos/cookylamoo/5059188603 • http://www.flickr.com/photos/phploveme/2911722148
  34. @jkuemerle / www.kuemerle.com http://speakerrate.com/jkuemerle

  35. @jkuemerle / www.kuemerle.com References • http://www.troyhunt.com o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html • http://www.owasp.org

    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.nosqlmap.net/index.html • http://www.veracode.com/resources/state-of- software-security
  36. @jkuemerle / www.kuemerle.com Tools • http://wpl.codeplex.com • https://www.kali.org/ • http://blogs.microsoft.com/cybertrust/2014/04/15/in

    troducing-microsoft-threat-modeling-tool-2014/ (Threat Model designer) • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=21769 (File fuzzer) • WebGoat.NET o https://github.com/sempf/WebGoat.NET o https://github.com/jkuemerle/WebGoat.NET