Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security Patterns 2012
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Mike Wiesner
November 08, 2012
Programming
53
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security Patterns 2012
Mike Wiesner
November 08, 2012
More Decks by Mike Wiesner
See All by Mike Wiesner
Transaktionen in Java
mikewiesner
0
93
Introduction to Spring Security 3/3.1
mikewiesner
0
130
Other Decks in Programming
See All in Programming
Performance Engineering for Everyone
elenatanasoiu
0
210
フロントエンドとバックエンドで「1文字」を揃えよう
youkidearitai
PRO
0
740
Claspは野良GASの夢をみるか
takter00
0
210
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
180
Lessons from Spec-Driven Development
simas
PRO
0
220
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
yukukotani
3
4.5k
AI 時代のソフトウェア設計の学び方
masuda220
PRO
29
13k
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
New "Type" system on PicoRuby
pocke
1
1k
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
170
RTSPクライアントを自作してみた話
simotin13
0
630
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
terryu16
0
270
Featured
See All Featured
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
310
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Visualization
eitanlees
152
17k
Designing for humans not robots
tammielis
254
26k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Optimising Largest Contentful Paint
csswizardry
37
3.7k
The #1 spot is gone: here's how to win anyway
tamaranovitovic
3
1.1k
Skip the Path - Find Your Career Trail
mkilby
1
150
Accessibility Awareness
sabderemane
1
140
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
Transcript
Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner
[email protected]
None
Application Security?
Enterprise Java = Spring Spring + Security = Spring Security
Authentication Authorization
Fertig?
• Injection • Cross-Site Scripting (XSS) • Broken Authentication and
Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten
Security ist ein Prozess
select * from users where user = 'user' and password
= '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection
XML Processing
fromFile newOrderXml download box downloadSecured boxSecured
Alle noch wach?
Demo Time!
Input Validation
JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private
String addressline1; @Length(max=30) private String addressline2; }
Trust Zones
None
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Demo Time!
Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren
• Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Fertig?
Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF
Defense in Depth
Fazit • Application Security ist ein Prozess • Jeder Entwickler
muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!
Mike Wiesner
[email protected]
http://bit.ly/SECPATTERN12