Tweet
Tweet

Slide 1

Slide 1 text

Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner [email protected]

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Application Security?

Slide 4

Slide 4 text

Enterprise Java = Spring Spring + Security = Spring Security

Slide 5

Slide 5 text

Authentication Authorization

Slide 6

Slide 6 text

Fertig?

Slide 7

Slide 7 text

• Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten

Slide 8

Slide 8 text

Security ist ein Prozess

Slide 9

Slide 9 text

select * from users where user = 'user' and password = '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection

Slide 10

Slide 10 text

XML Processing

Slide 11

Slide 11 text

fromFile newOrderXml download box downloadSecured boxSecured

Slide 12

Slide 12 text

Alle noch wach?

Slide 13

Slide 13 text

Demo Time!

Slide 14

Slide 14 text

Input Validation

Slide 15

Slide 15 text

JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private String addressline1; @Length(max=30) private String addressline2; }

Slide 16

Slide 16 text

Trust Zones

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

Slide 19

Slide 19 text

Demo Time!

Slide 20

Slide 20 text

Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren • Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”

Slide 21

Slide 21 text

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

Slide 22

Slide 22 text

Fertig?

Slide 23

Slide 23 text

Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

Slide 24

Slide 24 text

Defense in Depth

Slide 25

Slide 25 text

Fazit • Application Security ist ein Prozess • Jeder Entwickler muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!

Slide 26

Slide 26 text

Mike Wiesner [email protected] http://bit.ly/SECPATTERN12