Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security: What your developers don't know can hurt you

Application Security: What your developers don't know can hurt you

Fec6a312fc2dff26897c287bd941cdd8?s=128

Joe Kuemerle

November 08, 2012
Tweet

Transcript

  1. Application Security What your developers don't know can hurt you

    Joe Kuemerle www.kuemerle.com @jkuemerle
  2. @jkuemerle / www.kuemerle.com Joe Kuemerle • Developer at BookingBuilder Technologies

    • Over 15 years of development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  3. @jkuemerle / www.kuemerle.com How did Mr. Boddy get hacked?

  4. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

  5. @jkuemerle / www.kuemerle.com

  6. @jkuemerle / www.kuemerle.com

  7. @jkuemerle / www.kuemerle.com

  8. @jkuemerle / www.kuemerle.com

  9. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet http://wpl.codeplex.com

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com

  12. @jkuemerle / www.kuemerle.com

  13. @jkuemerle / www.kuemerle.com

  14. @jkuemerle / www.kuemerle.com

  15. @jkuemerle / www.kuemerle.com *

  16. @jkuemerle / www.kuemerle.com

  17. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege
  18. @jkuemerle / www.kuemerle.com

  19. @jkuemerle / www.kuemerle.com

  20. @jkuemerle / www.kuemerle.com

  21. @jkuemerle / www.kuemerle.com References • http://www.troyhunt.com o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html • http://www.owasp.org

    o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.google.com/reader/bundle/user%2F11 910239077358858577%2Fbundle%2FSecurity
  22. @jkuemerle / www.kuemerle.com Tools • http://wpl.codeplex.com • http://www.backtrack-linux.org • http://www.microsoft.com/download/en/details.as

    px?displaylang=en&id=14719 (Threat Model designer) • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=21769 (File fuzzer) • WebGoat.NET o https://github.com/sempf/WebGoat.NET o https://github.com/jkuemerle/WebGoat.NET
  23. @jkuemerle / www.kuemerle.com Photo Credits • http://www.flickr.com/photos/pcoin/4629410478 • http://www.flickr.com/photos/ekreitschmann/3296628124 •

    http://www.flickr.com/photos/quinnanya/3333961881 • http://www.flickr.com/photos/pcambra/3347911070 • http://www.flickr.com/photos/superamit/2491512156 • http://www.flickr.com/photos/terrio/5710831966 • http://www.flickr.com/photos/cliffnordman/6131349171 • http://www.flickr.com/photos/suckamc/4075609940 • http://www.flickr.com/photos/alan-light/211186811 • http://www.flickr.com/photos/marksteele/3766525250 • http://www.flickr.com/photos/petithiboux/4062233946 • http://www.flickr.com/photos/theevilmightyf/1496413769 • http://www.flickr.com/photos/cookylamoo/5059188603 • http://www.flickr.com/photos/phploveme/2911722148
  24. @jkuemerle / www.kuemerle.com http://speakerrate.com/jkuemerle