Application Security - Central Ohio Day of .NET

by Joe Kuemerle

Slide 1

Slide 1 text

Application Security What you don't know can hurt you Joe Kuemerle www.kuemerle.com @jkuemerle

Slide 2

Slide 2 text

Thanks to our AWESOME sponsors!

Slide 3

Slide 3 text

@jkuemerle / www.kuemerle.com Joe Kuemerle • Developer at BookingBuilder Technologies • Over 15 years of development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.

Slide 4

Slide 4 text

@jkuemerle / www.kuemerle.com How did Mr. Boddy get hacked?

Slide 5

Slide 5 text

@jkuemerle / www.kuemerle.com Source: Web Hacking Incident Database http://tinyurl.com/AppAttackStats

Slide 6

Slide 6 text

@jkuemerle / www.kuemerle.com

Slide 7

Slide 7 text

@jkuemerle / www.kuemerle.com

Slide 8

Slide 8 text

@jkuemerle / www.kuemerle.com https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet http://wpl.codeplex.com

Slide 9

Slide 9 text

@jkuemerle / www.kuemerle.com

Slide 10

Slide 10 text

@jkuemerle / www.kuemerle.com

Slide 11

Slide 11 text

@jkuemerle / www.kuemerle.com

Slide 12

Slide 12 text

@jkuemerle / www.kuemerle.com

Slide 13

Slide 13 text

@jkuemerle / www.kuemerle.com *

Slide 14

Slide 14 text

@jkuemerle / www.kuemerle.com

Slide 15

Slide 15 text

@jkuemerle / www.kuemerle.com Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

Slide 16

Slide 16 text

@jkuemerle / www.kuemerle.com

Slide 17

Slide 17 text

@jkuemerle / www.kuemerle.com

Slide 18

Slide 18 text

@jkuemerle / www.kuemerle.com

Slide 19

Slide 19 text

@jkuemerle / www.kuemerle.com Photo Credits • http://www.flickr.com/photos/pcoin/4629410478 • http://www.flickr.com/photos/ekreitschmann/3296628124 • http://www.flickr.com/photos/quinnanya/3333961881 • http://www.flickr.com/photos/pcambra/3347911070 • http://www.flickr.com/photos/superamit/2491512156 • http://www.flickr.com/photos/terrio/5710831966 • http://www.flickr.com/photos/cliffnordman/6131349171 • http://www.flickr.com/photos/suckamc/4075609940 • http://www.flickr.com/photos/alan-light/211186811 • http://www.flickr.com/photos/marksteele/3766525250 • http://www.flickr.com/photos/petithiboux/4062233946 • http://www.flickr.com/photos/theevilmightyf/1496413769 • http://www.flickr.com/photos/cookylamoo/5059188603 • http://www.flickr.com/photos/phploveme/2911722148

Slide 20

Slide 20 text

@jkuemerle / www.kuemerle.com References • http://www.troyhunt.com o http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html • http://www.owasp.org o http://www.youtube.com/user/AppsecTutorialSeries?feature=watch • http://www.microsoft.com/security/sdl/default.aspx • http://blogs.msdn.com/b/sdl • http://bsimm.com • http://www.amazon.com/Writing-Secure-Second- Michael-Howard/dp/0735617228 • http://www.google.com/reader/bundle/user%2F11 910239077358858577%2Fbundle%2FSecurity

Slide 21

Slide 21 text

@jkuemerle / www.kuemerle.com Tools • http://wpl.codeplex.com • http://www.backtrack-linux.org • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=14719 (Threat Model designer) • http://www.microsoft.com/download/en/details.as px?displaylang=en&id=21769 (File fuzzer) • WebGoat.NET o https://github.com/sempf/WebGoat.NET o https://github.com/jkuemerle/WebGoat.NET

Slide 22

Slide 22 text

@jkuemerle / www.kuemerle.com http://speakerrate.com/jkuemerle