Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defense Against The Dark Arts: Application secu...

Joe Kuemerle
July 12, 2018
Technology
0
37

Defense Against The Dark Arts: Application security and you

As more of the world uses the magic of applications to get things done there is an ever increasing threat from those who would use your code to do harm. Security vulnerabilities are real and can have a significant impact on your employment. In this session we will review the most significant threats to your applications and learn techniques to harden your applications against them. We will also cover methodologies that can improve your security standing before you even write the first line of code.

Joe Kuemerle

July 12, 2018
Tweet

More Decks by Joe Kuemerle

See All by Joe Kuemerle
Pilots, Surgeons and Developers - Improving Application Security With Checklists
jkuemerle
0
20
Lightweight Data Access in .NET
jkuemerle
0
43
Is your API leaking? Breaking APIs to increase security.
jkuemerle
0
110
Application Security: What you don't know can hurt you - PrairieDevCon 2015
jkuemerle
0
67
Keeping Secrets: Using Encryption Effectively
jkuemerle
0
110
Keeping Secrets: Using Encryption Effectively - CodeMash 2015
jkuemerle
0
70
Get Rid of Visual SourceSafe??! - NWNUG March 2014
jkuemerle
0
140
Close The Feedback Loop. Using Application Analytics To Improve Agile Development - CodepaLOUsa 2014
jkuemerle
0
72
Application Security - CodepaLOUsa 2014
jkuemerle
0
58

Other Decks in Technology

See All in Technology
【LT】ソフトウェア産業は進化しているのか? #Agilejapan
takabow
0
110
Terraform Stacks入門 #HashiTalks
msato
0
370
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
4
940
Storybook との上手な向き合い方を考える
re_taro
5
1.9k
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
670
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
140
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
1
220
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
160
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
190
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
790
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
580

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
A designer walks into a library…
pauljervisheath
204
24k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Speed Design
sergeychernyshev
25
620
It's Worth the Effort
3n
183
27k
Automating Front-end Workflow
addyosmani
1366
200k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Gamification - CAS2011
davidbonilla
80
5k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k

Transcript

  1. Defense Against The Dark Arts: Application security and you https://uk.pinterest.com/pin/335518240961936792/

  2. TITANIUM SPONSORS Platinum Sponsors Gold Sponsors

  3. Joe Kuemerle • Security focused developer in a broad range

    of technologies • Specialize in application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events. @jkuemerle / www.kuemerle.com https://proftalon.smugmug.com/Hogwarts/2914-summer/i-v4tSLNL/A

  4. techbash.com @jkuemerle / www.kuemerle.com

  5. @jkuemerle / www.kuemerle.com https://www.veracode.com/resources

  6. @jkuemerle / www.kuemerle.com http://cdn.quotesgram.com/small/79/88/1743520670-top-10.jpg https://www.owasp.org/index.php/Top_10-2017_Top_10

  7. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10-2017_Top_10 Broken Authentication Sensitive Data Exposure

    XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross Site Scripting (XSS) Insecure Deserialization Components With Known Vulnerabilities Insufficient Logging and Monitoring

  8. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

  9. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/colmmcsky/6300431678/

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com http://www.veracode.com/resources/state-of-software-security SQL INJECTION TREND Percentage of Applications

    Affected

  12. @jkuemerle / www.kuemerle.com https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

  13. @jkuemerle / www.kuemerle.com http://motherboard-images.vice.com/content-images/article/28241/1448640227075896.jpg 4.8 Million parents 6.3 Million children

  14. @jkuemerle / www.kuemerle.com db.myCollection.find( { $where: function() { return obj.credits

    - obj.debits < 0; } } ); db.myCollection.find( { active: true, $where: function() { return obj.credits - obj.debits < $userInput; } } );;

  15. @jkuemerle / www.kuemerle.com

  16. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/78531587227048328/

  17. @jkuemerle / www.kuemerle.com

  18. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/foilman/27016860369/

  19. @jkuemerle / www.kuemerle.com https://haveibeenpwned.com/

  20. @jkuemerle / www.kuemerle.com

  21. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/bryanalexander/17611523750/

  22. @jkuemerle / www.kuemerle.com

  23. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/rdh-photo/36725534450/

  24. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/yaketyyakyak/7325939128/

  25. @jkuemerle / www.kuemerle.com http://www.itnews.com.au/News/398892,delta-site-flaw-lets-passengers-access-other-boarding-passes.aspx

  26. @jkuemerle / www.kuemerle.com

  27. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/saeru/872702709 /

  28. @jkuemerle / www.kuemerle.com

  29. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/299911656412432748/

  30. @jkuemerle / www.kuemerle.com

  31. @jkuemerle / www.kuemerle.com

  32. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

  33. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/yaketyyakyak/7306685420/

  34. @jkuemerle / www.kuemerle.com

  35. @jkuemerle / www.kuemerle.com

  36. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/poopface/2544221497/

  37. @jkuemerle / www.kuemerle.com

  38. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/justinhoch/5417977222/

  39. @jkuemerle / www.kuemerle.com

  40. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/pheezy/3769080979/

  41. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/foilman/38557740656/

  42. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/481885228855703308/

  43. @jkuemerle / www.kuemerle.com

  44. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10-2017_Top_10 Broken Authentication Sensitive Data Exposure

    XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross Site Scripting (XSS) Insecure Deserialization Components With Known Vulnerabilities Insufficient Logging and Monitoring

  45. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

  46. @jkuemerle / www.kuemerle.com

  47. @jkuemerle / www.kuemerle.com https://github.com/skylot/jadx

  48. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege

  49. @jkuemerle / www.kuemerle.com Exploring Information Security podcast,

  50. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/tuba/53933899/

  51. @jkuemerle / www.kuemerle.com https://www.youtube.com/watch?v=JzPoz2safPI

  52. @jkuemerle / www.kuemerle.com http://www.potterworldmc.com/forum/m/23366915/viewthread/24561719-quibbler

  53. References @jkuemerle / www.kuemerle.com • http://www.troyhunt.com – http://www.troyhunt.com/2011/12/free-ebook-owasp-top- 10-for-net.html •

    http://www.owasp.org – http://www.youtube.com/user/AppsecTutorialSeries?featur e=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.nosqlmap.net/index.html • http://www.veracode.com/resources/state-of-software- security

  54. Tools @jkuemerle / www.kuemerle.com • https://www.kali.org/ • OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_

    Attack_Proxy_Project • https://www.microsoft.com/en- us/download/details.aspx?id=49168 (Threat Model designer) • JuiceShop https://github.com/bkimminich/juice- shop • ysoserial.NET https://github.com/pwntester/ysoserial.net