Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Patterns 2012

Mike Wiesner
November 08, 2012
Programming
0
36

Security Patterns 2012

Mike Wiesner

November 08, 2012
Tweet

More Decks by Mike Wiesner

See All by Mike Wiesner
Transaktionen in Java
mikewiesner
0
59
Introduction to Spring Security 3/3.1
mikewiesner
0
100

Other Decks in Programming

See All in Programming
一文字エイリアスのすすめ
fujimura
0
200
The Cutting Edge Of Versioning (LambdaConf 2024)
chriskrycho
0
250
TypeScriptでもLLMアプリケーション開発 / LLM Application In Typescript
rkaga
5
1.3k
TypeScriptで使いやすいOpenAPIの書き方
yukimochi_dwango
1
910
WinActorの勉強を継続する方法
tamai_63
0
130
スタックトレース始めてみた
kuro_kurorrr
5
1.1k
欠陥を早期に発見するための Software Engineer in Test とその重要性 / What is Software Engineer in Test and How they works
orgachem
PRO
18
2.4k
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
320
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
74k
Criando a Woovi em uma semana
daniloab
0
120
Docker_OSS_ホスティング入門
satokoki645
0
140
GitHub Actionsの痒いところを埋めるサードパーティーランナー
dora1998
2
270

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
1
130
Building Effective Engineering Teams - LeadDev
addyosmani
33
1.9k
Design by the Numbers
sachag
274
18k
The Invisible Customer
myddelton
114
12k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Done Done
chrislema
178
15k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
How STYLIGHT went responsive
nonsquared
92
4.8k
Happy Clients
brianwarren
92
6.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Embracing the Ebb and Flow
colly
80
4.2k

Transcript

  1. Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner

    [email protected]
  2. None

  3. Application Security?

  4. Enterprise Java = Spring Spring + Security = Spring Security

  5. Authentication Authorization

  6. Fertig?

  7. • Injection • Cross-Site Scripting (XSS) • Broken Authentication and

    Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten

  8. Security ist ein Prozess

  9. select * from users where user = 'user' and password

    = '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection

  10. XML Processing

  11. fromFile newOrderXml download box downloadSecured boxSecured

  12. Alle noch wach?

  13. Demo Time!

  14. Input Validation

  15. JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private

    String addressline1; @Length(max=30) private String addressline2; }

  16. Trust Zones

  17. None

  18. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  19. Demo Time!

  20. Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren

    • Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”

  21. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  22. Fertig?

  23. Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

  24. Defense in Depth

  25. Fazit • Application Security ist ein Prozess • Jeder Entwickler

    muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!

  26. Mike Wiesner [email protected] http://bit.ly/SECPATTERN12