SlideShare ist ein Scribd-Unternehmen logo

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Als PPTX, PDF herunterladen
A
Andi Rustandi Djunaedi

related webminar : https://www.youtube.com/watch?v=p1WbHLsqTnI related code: https://github.com/bliblidotcom/sample-basic-secure-coding

Technologie
1 von 12
Secure Coding the bare minimum – understand the problem
Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping

Empfohlen

Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23BIWUG
 
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens Sencha
 
Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Brij Mishra
 
Building rest services using aspnetwebapi
Building rest services using aspnetwebapiBuilding rest services using aspnetwebapi
Building rest services using aspnetwebapiBrij Mishra
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps FasterBrij Mishra
 
Writing power shell the right tool for the job
Writing power shell the right tool for the jobWriting power shell the right tool for the job
Writing power shell the right tool for the jobJaap Brasser
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowJaap Brasser
 

Empfohlen

Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Node.js Dublin Meetup April 2014
Node.js Dublin Meetup April 2014Damian Beresford
 
Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23Penny coventry fiddler-spsbe23
Penny coventry fiddler-spsbe23BIWUG
 
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens
SenchaCon 2016: Being Productive with the New Sencha Fiddle - Mitchell Simoens Sencha
 
Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Getting Started with ASP.NET 5
Getting Started with ASP.NET 5Brij Mishra
 
Building rest services using aspnetwebapi
Building rest services using aspnetwebapiBuilding rest services using aspnetwebapi
Building rest services using aspnetwebapiBrij Mishra
 
10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps Faster10 tips to make your ASP.NET Apps Faster
10 tips to make your ASP.NET Apps FasterBrij Mishra
 
Writing power shell the right tool for the job
Writing power shell the right tool for the jobWriting power shell the right tool for the job
Writing power shell the right tool for the jobJaap Brasser
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowJaap Brasser
 
CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfNCCOMMS
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automationJaap Brasser
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShellJaap Brasser
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShellJaap Brasser
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBValeri Karpov
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowJaap Brasser
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA ConfigurationJaap Brasser
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShellJaap Brasser
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShellJaap Brasser
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With JestBen McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...DIWUG
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environmentJaap Brasser
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend toolingpksjce
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
Planidoo & Zotonic
Planidoo & ZotonicPlanidoo & Zotonic
Planidoo & ZotonicDavid de Boer
 
Design for scale
Design for scaleDesign for scale
Design for scaleDoug Lampe
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzureGunnar Peipman
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiJaap Brasser
 
Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in schoolMichael Galpin
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with FiddlerIdo Flatow
 

Weitere ähnliche Inhalte

Was ist angesagt?

CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development LetsConnect
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...Sencha
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfNCCOMMS
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automationJaap Brasser
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShellJaap Brasser
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShellJaap Brasser
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBValeri Karpov
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowJaap Brasser
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA ConfigurationJaap Brasser
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShellJaap Brasser
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShellJaap Brasser
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With JestBen McCormick
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...DIWUG
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environmentJaap Brasser
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend toolingpksjce
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
Design for scale
Design for scaleDesign for scale
Design for scaleDoug Lampe
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzureGunnar Peipman
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiJaap Brasser
 

Was ist angesagt? (20)

CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development CrossWorlds: Unleash the Power of Domino for Connections Development
CrossWorlds: Unleash the Power of Domino for Connections Development
 
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
SenchaCon 2016: Turbocharge your Ext JS App - Per Minborg, Anselm McClain, Jo...
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio StruyfO365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
 
Secure your environment by automation
Secure your environment by automationSecure your environment by automation
Secure your environment by automation
 
Automating security with PowerShell
Automating security with PowerShellAutomating security with PowerShell
Automating security with PowerShell
 
Paint it blue with PowerShell
Paint it blue with PowerShellPaint it blue with PowerShell
Paint it blue with PowerShell
 
TDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDBTDD a REST API With Node.js and MongoDB
TDD a REST API With Node.js and MongoDB
 
Apply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrowApply chat automation today - work smarter tomorrow
Apply chat automation today - work smarter tomorrow
 
Building your own JEA Configuration
Building your own JEA ConfigurationBuilding your own JEA Configuration
Building your own JEA Configuration
 
Manage your infrastructure with PowerShell
Manage your infrastructure with PowerShellManage your infrastructure with PowerShell
Manage your infrastructure with PowerShell
 
Reach the next level with PowerShell
Reach the next level with PowerShellReach the next level with PowerShell
Reach the next level with PowerShell
 
Saving Time By Testing With Jest
Saving Time By Testing With JestSaving Time By Testing With Jest
Saving Time By Testing With Jest
 
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
SPSNL17 - Getting started with SharePoint development for the reluctant IT Pr...
 
Chat automation in a Modern IT environment
Chat automation in a Modern IT environmentChat automation in a Modern IT environment
Chat automation in a Modern IT environment
 
Next generation frontend tooling
Next generation frontend toolingNext generation frontend tooling
Next generation frontend tooling
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
Planidoo & Zotonic
Planidoo & ZotonicPlanidoo & Zotonic
Planidoo & Zotonic
 
Design for scale
Design for scaleDesign for scale
Design for scale
 
Porting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows AzurePorting ASP.NET applications to Windows Azure
Porting ASP.NET applications to Windows Azure
 
From zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the guiFrom zero to hero – learn how to automate from the gui
From zero to hero – learn how to automate from the gui
 

Ähnlich wie Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in schoolMichael Galpin
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with FiddlerIdo Flatow
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Hong Tat Yew
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the ApplezeroSteiner
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators liteSharon James
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsMark Atwood
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIsSilota Inc.
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Creating a Documentation Portal
Creating a Documentation PortalCreating a Documentation Portal
Creating a Documentation PortalSteve Anderson
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache UsergridDavid M. Johnson
 
MEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopMEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopValeri Karpov
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarForgeRock
 
Extending WordPress as a pro
Extending WordPress as a proExtending WordPress as a pro
Extending WordPress as a proMarko Heijnen
 
Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015Kim Frehe
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescueMarko Heijnen
 

Ähnlich wie Tech IT Easy x DevTalk : "Secure Your Coding with OWASP" (20)

Android lessons you won't learn in school
Android lessons you won't learn in schoolAndroid lessons you won't learn in school
Android lessons you won't learn in school
 
Debugging the Web with Fiddler
Debugging the Web with FiddlerDebugging the Web with Fiddler
Debugging the Web with Fiddler
 
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan KuštInfinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
Infinum Android Talks #13 - Developing Android Apps Like Navy Seals by Ivan Kušt
 
Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)Introduction to cypress in Angular (Chinese)
Introduction to cypress in Angular (Chinese)
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
The Python in the Apple
The Python in the AppleThe Python in the Apple
The Python in the Apple
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
OpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red HatsOpenShift Origin: Build a PaaS Just Like Red Hats
OpenShift Origin: Build a PaaS Just Like Red Hats
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Creating a Documentation Portal
Creating a Documentation PortalCreating a Documentation Portal
Creating a Documentation Portal
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
 
MEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona WorkshopMEAN Stack WeNode Barcelona Workshop
MEAN Stack WeNode Barcelona Workshop
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 WebinarOpenIDM - Flexible Provisioning Platform - April 28 Webinar
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
 
Extending WordPress as a pro
Extending WordPress as a proExtending WordPress as a pro
Extending WordPress as a pro
 
Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015Highlights from microsoft ignite 2015
Highlights from microsoft ignite 2015
 
Node.js to the rescue
Node.js to the rescueNode.js to the rescue
Node.js to the rescue
 

Kürzlich hochgeladen

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"

  • 1. Secure Coding the bare minimum – understand the problem
  • 2. Introduction • Andi R Djunaedi • Software Engineer at blibli.com since March 2014 • https://www.linkedin.com/in/andird • https://github.com/andirdju • https://github.com/bliblidotcom
  • 3. Overview – understand the problem • Theory • Code • Web application -> we’ll talk about this • Operating System • Network • Other? • Importance • Practice, get your laptop, pc or whatever • How it works
  • 4. Theory - Code • Web Applications • OWASP Top 10 List - new list every 3 years • https://www.owasp.org/index.php/Top_10_2013-Top_10 • https://www.owasp.org/index.php/Top_10_2010-Main • Top 3 - Samples • SQL Injection • Arbitrary SQL query execution • Session Fixation • Assume other’s Identity • Cross Site Scripting • Arbitrary client code (javascript, html) execution
  • 5. Importance – Non Security • Performance • poor user experience • redesign, refactor, make it faster • Code coverage • buggy, spent more time on fixing bug • stop the leak • When • next iteration
  • 6. Importance – Security • How to fix security incidents ??? • Personal/Financial data stolen • Data deleted • When • NOW !!!
  • 7. Practice – Understand the problem • Run bad web app • OWASP Top 3 Sample • SQL Injection • Session Fixation • Cross Site Scripting • Exercise
  • 8. Run – web app • Git, Jdk 8, Maven • https://github.com/bliblidotcom/sample-basic-secure-coding • In memory H2 database • Embedded server • mvn spring-boot:run • http://localhost:8080
  • 9. Get your laptop – SQL Injection • Demo – Valid use case is only find one record by id • Read all records • Insert new records • Delete all records
  • 10. Get your laptop – Session Fixation • Demo - session info only known to the user • Bad person(A) create new session • Persuade unsuspecting person(B) via phishing • Bad person(A) get session information of other person(B)
  • 11. Get your laptop – Cross Site Scripting • Demo – valid use case only displays list of data • Can be done via the same SQL injection • Html • Add html form • Javascript • Add pop up • Add redirect
  • 12. What’s Next • Crack the other API • it have similar problems • Fix the exploit • Don’t repeat yourself by creating custom solutions • SQL named parameter • Regenerate session id • Content escaping