Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defense Against The Dark Arts: Application security and you

Defense Against The Dark Arts: Application security and you

As more of the world uses the magic of applications to get things done there is an ever increasing threat from those who would use your code to do harm. Security vulnerabilities are real and can have a significant impact on your employment. In this session we will review the most significant threats to your applications and learn techniques to harden your applications against them. We will also cover methodologies that can improve your security standing before you even write the first line of code.

Fec6a312fc2dff26897c287bd941cdd8?s=128

Joe Kuemerle

July 12, 2018
Tweet

Transcript

  1. Defense Against The Dark Arts: Application security and you https://uk.pinterest.com/pin/335518240961936792/

  2. TITANIUM SPONSORS Platinum Sponsors Gold Sponsors

  3. Joe Kuemerle • Security focused developer in a broad range

    of technologies • Specialize in application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events. @jkuemerle / www.kuemerle.com https://proftalon.smugmug.com/Hogwarts/2914-summer/i-v4tSLNL/A
  4. techbash.com @jkuemerle / www.kuemerle.com

  5. @jkuemerle / www.kuemerle.com https://www.veracode.com/resources

  6. @jkuemerle / www.kuemerle.com http://cdn.quotesgram.com/small/79/88/1743520670-top-10.jpg https://www.owasp.org/index.php/Top_10-2017_Top_10

  7. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10-2017_Top_10 Broken Authentication Sensitive Data Exposure

    XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross Site Scripting (XSS) Insecure Deserialization Components With Known Vulnerabilities Insufficient Logging and Monitoring
  8. @jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

  9. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/colmmcsky/6300431678/

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com http://www.veracode.com/resources/state-of-software-security SQL INJECTION TREND Percentage of Applications

    Affected
  12. @jkuemerle / www.kuemerle.com https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

  13. @jkuemerle / www.kuemerle.com http://motherboard-images.vice.com/content-images/article/28241/1448640227075896.jpg 4.8 Million parents 6.3 Million children

  14. @jkuemerle / www.kuemerle.com db.myCollection.find( { $where: function() { return obj.credits

    - obj.debits < 0; } } ); db.myCollection.find( { active: true, $where: function() { return obj.credits - obj.debits < $userInput; } } );;
  15. @jkuemerle / www.kuemerle.com

  16. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/78531587227048328/

  17. @jkuemerle / www.kuemerle.com

  18. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/foilman/27016860369/

  19. @jkuemerle / www.kuemerle.com https://haveibeenpwned.com/

  20. @jkuemerle / www.kuemerle.com

  21. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/bryanalexander/17611523750/

  22. @jkuemerle / www.kuemerle.com

  23. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/rdh-photo/36725534450/

  24. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/yaketyyakyak/7325939128/

  25. @jkuemerle / www.kuemerle.com http://www.itnews.com.au/News/398892,delta-site-flaw-lets-passengers-access-other-boarding-passes.aspx

  26. @jkuemerle / www.kuemerle.com

  27. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/saeru/872702709 /

  28. @jkuemerle / www.kuemerle.com

  29. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/299911656412432748/

  30. @jkuemerle / www.kuemerle.com

  31. @jkuemerle / www.kuemerle.com

  32. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

  33. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/yaketyyakyak/7306685420/

  34. @jkuemerle / www.kuemerle.com

  35. @jkuemerle / www.kuemerle.com

  36. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/poopface/2544221497/

  37. @jkuemerle / www.kuemerle.com

  38. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/justinhoch/5417977222/

  39. @jkuemerle / www.kuemerle.com

  40. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/pheezy/3769080979/

  41. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/foilman/38557740656/

  42. @jkuemerle / www.kuemerle.com https://www.pinterest.com/pin/481885228855703308/

  43. @jkuemerle / www.kuemerle.com

  44. @jkuemerle / www.kuemerle.com Injection https://www.owasp.org/index.php/Top_10-2017_Top_10 Broken Authentication Sensitive Data Exposure

    XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross Site Scripting (XSS) Insecure Deserialization Components With Known Vulnerabilities Insufficient Logging and Monitoring
  45. @jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

  46. @jkuemerle / www.kuemerle.com

  47. @jkuemerle / www.kuemerle.com https://github.com/skylot/jadx

  48. @jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of

    Service Elevation of Privilege
  49. @jkuemerle / www.kuemerle.com Exploring Information Security podcast,

  50. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/tuba/53933899/

  51. @jkuemerle / www.kuemerle.com https://www.youtube.com/watch?v=JzPoz2safPI

  52. @jkuemerle / www.kuemerle.com http://www.potterworldmc.com/forum/m/23366915/viewthread/24561719-quibbler

  53. References @jkuemerle / www.kuemerle.com • http://www.troyhunt.com – http://www.troyhunt.com/2011/12/free-ebook-owasp-top- 10-for-net.html •

    http://www.owasp.org – http://www.youtube.com/user/AppsecTutorialSeries?featur e=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.nosqlmap.net/index.html • http://www.veracode.com/resources/state-of-software- security
  54. Tools @jkuemerle / www.kuemerle.com • https://www.kali.org/ • OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_

    Attack_Proxy_Project • https://www.microsoft.com/en- us/download/details.aspx?id=49168 (Threat Model designer) • JuiceShop https://github.com/bkimminich/juice- shop • ysoserial.NET https://github.com/pwntester/ysoserial.net