Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security: What your developers don't know can hurt you

Joe Kuemerle
November 08, 2012
Technology
1
56

Application Security: What your developers don't know can hurt you

Joe Kuemerle

November 08, 2012
Tweet

More Decks by Joe Kuemerle

See All by Joe Kuemerle
Pilots, Surgeons and Developers - Improving Application Security With Checklists
jkuemerle
0
14
Lightweight Data Access in .NET
jkuemerle
0
35
Defense Against The Dark Arts: Application security and you
jkuemerle
0
32
Is your API leaking? Breaking APIs to increase security.
jkuemerle
0
100
Application Security: What you don't know can hurt you - PrairieDevCon 2015
jkuemerle
0
56
Keeping Secrets: Using Encryption Effectively
jkuemerle
0
89
Keeping Secrets: Using Encryption Effectively - CodeMash 2015
jkuemerle
0
58
Get Rid of Visual SourceSafe??! - NWNUG March 2014
jkuemerle
0
67
Close The Feedback Loop. Using Application Analytics To Improve Agile Development - CodepaLOUsa 2014
jkuemerle
0
58

Other Decks in Technology

See All in Technology
JPOUG#7 Oracle Database 23c New Features
nori_shinoda
1
770
Introduction to mcl-wasm
herumi
1
290
R Not Only in Production
karawoo
0
110
クラウドだからできた 地方主導のJAWS DevOps
matsuihidetoshi
2
170
TypeScript ⼩ネタとか
sansantech
PRO
0
290
チーム開発における自作ESLintルールの活用と戦略
sansantech
PRO
0
280
【新卒研修資料】基礎統計学 / Basic of statistics
brainpadpr
65
42k
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
230
PhpStorm最新情報
AIとnew UI、便利プラグイン #phpcon_okinawa
yusuke
0
150
GitHub Copilot Behind the Scene
yuhattor
0
600
Designing an Incident Response Process at Scale
opeonikute
0
140
Material 3 やめました / Good-bye M3 design system
yanzm
3
2.2k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
Writing Fast Ruby
sferik
615
59k
Agile that works and the tools we love
rasmusluckow
323
20k
The World Runs on Bad Software
bkeepers
PRO
59
6k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
Atom: Resistance is Futile
akmur
257
24k
Documentation Writing (for coders)
carmenintech
54
3.3k
Adopting Sorbet at Scale
ufuk
66
8.1k
The Invisible Customer
myddelton
113
12k
The Invisible Side of Design
smashingmag
292
49k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Designing the Hi-DPI Web
ddemaree
274
33k

Transcript

  1. Application Security
    What your developers
    don't know can hurt you
    Joe Kuemerle
    www.kuemerle.com
    @jkuemerle

    View Slide

  2. @jkuemerle / www.kuemerle.com
    Joe Kuemerle
    • Developer at BookingBuilder Technologies
    • Over 15 years of development experience with a
    broad range of technologies
    • Focused on application and data security, coding
    best practices and regulatory compliance
    • Presenter at community, regional and national
    events.

    View Slide

  3. @jkuemerle / www.kuemerle.com
    How did Mr. Boddy
    get hacked?

    View Slide

  4. @jkuemerle / www.kuemerle.com
    Source:
    Web Hacking Incident Database
    http://tinyurl.com/AppAttackStats

    View Slide

  5. @jkuemerle / www.kuemerle.com

    View Slide

  6. @jkuemerle / www.kuemerle.com

    View Slide

  7. @jkuemerle / www.kuemerle.com

    View Slide

  8. @jkuemerle / www.kuemerle.com

    View Slide

  9. @jkuemerle / www.kuemerle.com
    https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
    http://wpl.codeplex.com

    View Slide

  10. @jkuemerle / www.kuemerle.com

    View Slide

  11. @jkuemerle / www.kuemerle.com

    View Slide

  12. @jkuemerle / www.kuemerle.com

    View Slide

  13. @jkuemerle / www.kuemerle.com

    View Slide

  14. @jkuemerle / www.kuemerle.com

    View Slide

  15. @jkuemerle / www.kuemerle.com
    *

    View Slide

  16. @jkuemerle / www.kuemerle.com

    View Slide

  17. @jkuemerle / www.kuemerle.com
    Spoofing
    Tampering
    Repudiation
    Information Disclosure
    Denial of Service
    Elevation of Privilege

    View Slide

  18. @jkuemerle / www.kuemerle.com

    View Slide

  19. @jkuemerle / www.kuemerle.com

    View Slide

  20. @jkuemerle / www.kuemerle.com

    View Slide

  21. @jkuemerle / www.kuemerle.com
    References
    • http://www.troyhunt.com
    o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
    • http://www.owasp.org
    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch
    • http://www.microsoft.com/security/sdl/default.aspx
    • http://blogs.msdn.com/b/sdl
    • http://bsimm.com
    • http://www.amazon.com/Writing-Secure-Second-
    Michael-Howard/dp/0735617228
    • http://www.google.com/reader/bundle/user%2F11
    910239077358858577%2Fbundle%2FSecurity

    View Slide

  22. @jkuemerle / www.kuemerle.com
    Tools
    • http://wpl.codeplex.com
    • http://www.backtrack-linux.org
    • http://www.microsoft.com/download/en/details.as
    px?displaylang=en&id=14719 (Threat Model
    designer)
    • http://www.microsoft.com/download/en/details.as
    px?displaylang=en&id=21769 (File fuzzer)
    • WebGoat.NET
    o https://github.com/sempf/WebGoat.NET
    o https://github.com/jkuemerle/WebGoat.NET

    View Slide

  23. @jkuemerle / www.kuemerle.com
    Photo Credits
    • http://www.flickr.com/photos/pcoin/4629410478
    • http://www.flickr.com/photos/ekreitschmann/3296628124
    • http://www.flickr.com/photos/quinnanya/3333961881
    • http://www.flickr.com/photos/pcambra/3347911070
    • http://www.flickr.com/photos/superamit/2491512156
    • http://www.flickr.com/photos/terrio/5710831966
    • http://www.flickr.com/photos/cliffnordman/6131349171
    • http://www.flickr.com/photos/suckamc/4075609940
    • http://www.flickr.com/photos/alan-light/211186811
    • http://www.flickr.com/photos/marksteele/3766525250
    • http://www.flickr.com/photos/petithiboux/4062233946
    • http://www.flickr.com/photos/theevilmightyf/1496413769
    • http://www.flickr.com/photos/cookylamoo/5059188603
    • http://www.flickr.com/photos/phploveme/2911722148

    View Slide

  24. @jkuemerle / www.kuemerle.com
    http://speakerrate.com/jkuemerle

    View Slide