SlideShare ist ein Scribd-Unternehmen logo

2018 Orlando Devs - Application Security

B
Brian Clark

A presentation on raising awareness around application security

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
A Boy, A Sugar Glider and the TSA Brian Clark @_clarkio Credit: https://www.flickr.com/photos/pitmanra/
Credit: https://www.flickr.com/photos/lostintexas/
Credit: https://www.flickr.com/photos/muar_chee/
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.comCookies Server http://insecureheroes.com
Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://clickbaity.co
Browser http://insecureheroes.comCookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
Synchronizer Token Pattern Random token Unique to user and session Part of the request header Validated server-side
https://www.npmjs.com/package/csurf
https://angular.io/guide/http#security-xsrf-protection
https://caniuse.com/#search=samesite
An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
Input Handling
Input Handling
Input Handling EscapingSanitizationValidation
Sanitization EscapingValidation Ensure the data is legit Invalid EmailResult:
Validation EscapingSanitization Clean the bad data BCResult:
SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>CResult:
Do not trust user input
Where should we apply input handlers?
Where should we apply input handlers? Client? Server?
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untrusted
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Trusted
Both
?
https://angular.io/guide/security
https://angular.io/guide/security
?
https://www.npmjs.com/package/express-validator
https://www.npmjs.com/package/xss-filters
Summary Access Control Malicious Input Sugar Gliders Faking Requests
References https://owasp.org https://github.com/Azure-Samples/angular-cosmosdb (branch: insecure-heroes) https://angular.io/guide/security https://www.npmjs.com/package/csurf https://angular.io/guide/http#security-xsrf-protection https://caniuse.com/#search=samesite
Brian Clark @_clarkio Thank You!

Empfohlen

The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1
Darren Kuropatwa
 
Best of the web - accessibility & ell - Fall 2013
Best of the web - accessibility & ell - Fall 2013Best of the web - accessibility & ell - Fall 2013
Best of the web - accessibility & ell - Fall 2013
Richard Byrne
 
Researching & evaluating online information
Researching & evaluating online informationResearching & evaluating online information
Researching & evaluating online information
colemama
 
An Incomplete Guide to Open Graph metatags for Facebook
An Incomplete Guide to Open Graph metatags for FacebookAn Incomplete Guide to Open Graph metatags for Facebook
An Incomplete Guide to Open Graph metatags for Facebook
Mat Morrison
 
Web2tools 100415155001-phpapp01 (2)
Web2tools 100415155001-phpapp01 (2)Web2tools 100415155001-phpapp01 (2)
Web2tools 100415155001-phpapp01 (2)
Alberto Garrido
 
Easy Web 2.0 Tools for Teachers
Easy Web 2.0 Tools for TeachersEasy Web 2.0 Tools for Teachers
Easy Web 2.0 Tools for Teachers
pingable
 
The Connection Between PTSD and Suicide
The Connection Between PTSD and SuicideThe Connection Between PTSD and Suicide
The Connection Between PTSD and Suicide
alexarzenshek
 
SXSW black hat seo presentation preview
SXSW black hat seo presentation previewSXSW black hat seo presentation preview
SXSW black hat seo presentation preview
Jonathan Ashton
 

Empfohlen

The iPad Learning Studio v1
The iPad Learning Studio v1The iPad Learning Studio v1
The iPad Learning Studio v1
Darren Kuropatwa
 
Best of the web - accessibility & ell - Fall 2013
Best of the web - accessibility & ell - Fall 2013Best of the web - accessibility & ell - Fall 2013
Best of the web - accessibility & ell - Fall 2013
Richard Byrne
 
Researching & evaluating online information
Researching & evaluating online informationResearching & evaluating online information
Researching & evaluating online information
colemama
 
An Incomplete Guide to Open Graph metatags for Facebook
An Incomplete Guide to Open Graph metatags for FacebookAn Incomplete Guide to Open Graph metatags for Facebook
An Incomplete Guide to Open Graph metatags for Facebook
Mat Morrison
 
Web2tools 100415155001-phpapp01 (2)
Web2tools 100415155001-phpapp01 (2)Web2tools 100415155001-phpapp01 (2)
Web2tools 100415155001-phpapp01 (2)
Alberto Garrido
 
Easy Web 2.0 Tools for Teachers
Easy Web 2.0 Tools for TeachersEasy Web 2.0 Tools for Teachers
Easy Web 2.0 Tools for Teachers
pingable
 
The Connection Between PTSD and Suicide
The Connection Between PTSD and SuicideThe Connection Between PTSD and Suicide
The Connection Between PTSD and Suicide
alexarzenshek
 
SXSW black hat seo presentation preview
SXSW black hat seo presentation previewSXSW black hat seo presentation preview
SXSW black hat seo presentation preview
Jonathan Ashton
 
2018 Orlando Code Camp Application Security
2018 Orlando Code Camp Application Security2018 Orlando Code Camp Application Security
2018 Orlando Code Camp Application Security
Brian Clark
 
Forgotten Security
Forgotten SecurityForgotten Security
Forgotten Security
Brian Clark
 
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
ALATechSource
 
Attacking websockets
Attacking websocketsAttacking websockets
Attacking websockets
sinakheirkhah
 
Contact.rtf
Contact.rtfContact.rtf
Contact.rtf
23rd Street Productions Group
 
Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010
Ignite Raleigh
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Don't Forget to Pack Your Social Network: Data Portability Myths and Realities
Don't Forget to Pack Your Social Network: Data Portability Myths and RealitiesDon't Forget to Pack Your Social Network: Data Portability Myths and Realities
Don't Forget to Pack Your Social Network: Data Portability Myths and Realities
Mark Congiusta
 
New Media 101 - NewBCamp 2008
New Media 101 - NewBCamp 2008New Media 101 - NewBCamp 2008
New Media 101 - NewBCamp 2008
Christopher Penn
 
The Quest for the Ultimate Web Design Tool
The Quest for the Ultimate Web Design ToolThe Quest for the Ultimate Web Design Tool
The Quest for the Ultimate Web Design Tool
Dan Rose
 
Things i am thankful for
Things i am thankful forThings i am thankful for
Things i am thankful for
MrsLOnlineA2011
 
Here be Dragons
Here be Dragons Here be Dragons
Here be Dragons
Randy Silver
 
Suporte técnico em redes sociais
Suporte técnico em redes sociaisSuporte técnico em redes sociais
Suporte técnico em redes sociais
Roberto Cohen
 
Thing Im Thankful For BKaminski
Thing Im Thankful For BKaminskiThing Im Thankful For BKaminski
Thing Im Thankful For BKaminski
LundquistOnlineA
 
Why using the krya dishwash can make you a superhero - 2020
Why using the krya dishwash can make you a superhero - 2020 Why using the krya dishwash can make you a superhero - 2020
Why using the krya dishwash can make you a superhero - 2020
Krya Botanicals Research & Manufacturing
 
Msvisit10
Msvisit10Msvisit10
Msvisit10
coolnattyb
 
SBGames 2012 - What is going on with ubicomp games
SBGames 2012 - What is going on with ubicomp gamesSBGames 2012 - What is going on with ubicomp games
SBGames 2012 - What is going on with ubicomp games
Fabricio Nogueira Buzeto
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital Storytelling
RachelStaman
 
The Digital Teacher
The Digital TeacherThe Digital Teacher
The Digital Teacher
Kyle Pace
 
Second Life: An Introduction
Second Life: An IntroductionSecond Life: An Introduction
Second Life: An Introduction
iconolith
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 

Weitere ähnliche Inhalte

Ähnlich wie 2018 Orlando Devs - Application Security

Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
ALATechSource
 
Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010
Ignite Raleigh
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Things i am thankful for
Things i am thankful forThings i am thankful for
Things i am thankful for
MrsLOnlineA2011
 
Thing Im Thankful For BKaminski
Thing Im Thankful For BKaminskiThing Im Thankful For BKaminski
Thing Im Thankful For BKaminski
LundquistOnlineA
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital Storytelling
RachelStaman
 

Ähnlich wie 2018 Orlando Devs - Application Security (20)

2018 Orlando Code Camp Application Security
2018 Orlando Code Camp Application Security2018 Orlando Code Camp Application Security
2018 Orlando Code Camp Application Security
 
Forgotten Security
Forgotten SecurityForgotten Security
Forgotten Security
 
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
Library Analytics with Char Booth and Paul Signorelli, Session 1 Part 2
 
Attacking websockets
Attacking websocketsAttacking websockets
Attacking websockets
 
Contact.rtf
Contact.rtfContact.rtf
Contact.rtf
 
Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010Ignite raleigh henry copeland 2010
Ignite raleigh henry copeland 2010
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Don't Forget to Pack Your Social Network: Data Portability Myths and Realities
Don't Forget to Pack Your Social Network: Data Portability Myths and RealitiesDon't Forget to Pack Your Social Network: Data Portability Myths and Realities
Don't Forget to Pack Your Social Network: Data Portability Myths and Realities
 
New Media 101 - NewBCamp 2008
New Media 101 - NewBCamp 2008New Media 101 - NewBCamp 2008
New Media 101 - NewBCamp 2008
 
The Quest for the Ultimate Web Design Tool
The Quest for the Ultimate Web Design ToolThe Quest for the Ultimate Web Design Tool
The Quest for the Ultimate Web Design Tool
 
Things i am thankful for
Things i am thankful forThings i am thankful for
Things i am thankful for
 
Here be Dragons
Here be Dragons Here be Dragons
Here be Dragons
 
Suporte técnico em redes sociais
Suporte técnico em redes sociaisSuporte técnico em redes sociais
Suporte técnico em redes sociais
 
Thing Im Thankful For BKaminski
Thing Im Thankful For BKaminskiThing Im Thankful For BKaminski
Thing Im Thankful For BKaminski
 
Why using the krya dishwash can make you a superhero - 2020
Why using the krya dishwash can make you a superhero - 2020 Why using the krya dishwash can make you a superhero - 2020
Why using the krya dishwash can make you a superhero - 2020
 
Msvisit10
Msvisit10Msvisit10
Msvisit10
 
SBGames 2012 - What is going on with ubicomp games
SBGames 2012 - What is going on with ubicomp gamesSBGames 2012 - What is going on with ubicomp games
SBGames 2012 - What is going on with ubicomp games
 
Digital Storytelling
Digital StorytellingDigital Storytelling
Digital Storytelling
 
The Digital Teacher
The Digital TeacherThe Digital Teacher
The Digital Teacher
 
Second Life: An Introduction
Second Life: An IntroductionSecond Life: An Introduction
Second Life: An Introduction
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

2018 Orlando Devs - Application Security