Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security Patterns 2012
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Mike Wiesner
November 08, 2012
Programming
0
50
Security Patterns 2012
Mike Wiesner
November 08, 2012
Tweet
Share
More Decks by Mike Wiesner
See All by Mike Wiesner
Transaktionen in Java
mikewiesner
0
88
Introduction to Spring Security 3/3.1
mikewiesner
0
130
Other Decks in Programming
See All in Programming
Patterns of Patterns
denyspoltorak
0
1.4k
OSSとなったswift-buildで Xcodeのビルドを差し替えられるため 自分でXcodeを直せる時代になっている ダイアモンド問題編
yimajo
3
610
Oxlintはいいぞ
yug1224
5
1.3k
AIフル活用時代だからこそ学んでおきたい働き方の心得
shinoyu
0
130
MUSUBIXとは
nahisaho
0
130
MDN Web Docs に日本語翻訳でコントリビュート
ohmori_yusuke
0
640
Data-Centric Kaggle
isax1015
2
760
ThorVG Viewer In VS Code
nors
0
760
Architectural Extensions
denyspoltorak
0
270
組織で育むオブザーバビリティ
ryota_hnk
0
170
AI & Enginnering
codelynx
0
110
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
500
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
432
66k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.1k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
640
KATA
mclloyd
PRO
34
15k
The SEO identity crisis: Don't let AI make you average
varn
0
64
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.8k
Paper Plane
katiecoart
PRO
0
46k
Color Theory Basics | Prateek | Gurzu
gurzu
0
190
Prompt Engineering for Job Search
mfonobong
0
160
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.6k
Un-Boring Meetings
codingconduct
0
200
Transcript
Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner
[email protected]
None
Application Security?
Enterprise Java = Spring Spring + Security = Spring Security
Authentication Authorization
Fertig?
• Injection • Cross-Site Scripting (XSS) • Broken Authentication and
Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten
Security ist ein Prozess
select * from users where user = 'user' and password
= '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection
XML Processing
fromFile newOrderXml download box downloadSecured boxSecured
Alle noch wach?
Demo Time!
Input Validation
JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private
String addressline1; @Length(max=30) private String addressline2; }
Trust Zones
None
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Demo Time!
Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren
• Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Fertig?
Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF
Defense in Depth
Fazit • Application Security ist ein Prozess • Jeder Entwickler
muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!
Mike Wiesner
[email protected]
http://bit.ly/SECPATTERN12
SiteGround - Reliable hosting with speed, security, and support you can count on.
mikewiesner
denyspoltorak
yimajo
yug1224
shinoyu
nahisaho
ohmori_yusuke
isax1015
nors
ryota_hnk
codelynx
ivargrimstad
bkeepers
danielanewman
nmsamuel
mclloyd
varn
caitiem20
aleyda
katiecoart
gurzu
mfonobong
addyosmani
codingconduct
![Mike Wiesner [email protected] http://bit.ly/SECPATTERN12](https://files.speakerdeck.com/presentations/ad2731100c6f0130254d123139154813/slide_25.jpg){kind=link}