SlideShare ist ein Scribd-Unternehmen logo
1 von 18
Downloaden Sie, um offline zu lesen
10 Adımda
Yazılım Güvenliği
OWASP-Turkey
Bünyamin Demir
Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2
3
OWASP
4
Why is OWASP Special?
• OWASP Top 10
• OWASP Zed Attack Proxy (ZAP)
• OpenSAMM
• Cheat Sheets
• ESAPI
• ASVS
• Testing Guide
• Development Guide
5
OWASP Projects
6
Application Security Verification Standart
1 - Girdi Denetimi
7
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username)) {
//uygun olmayan kullanıcı adı
}
ESAPI ile Girdi Denetimi
8
Validator.Username=^[a-zA-Z0-9]{6,12}$
String username = request.getParameter("username");
boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username",
12, false);
if (!booluser) {
// uygun olmayan kullanıcı adı
}
2-Sanitization
9
String safeMarkup = ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true );
<%
String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart.,
D/Blok, No:5";
String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true);
%>
<div><%= safeAddressText %></div>
<div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>
3 – HttpOnly Cookie
10
Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly;
Domain=www.site.com; Path=/; Secure; HttpOnly
4 – Secure Cookie
11
Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com;
Path=/; Secure; HttpOnly
5 – Oturum Anahtarı
12
ESAPI.httpUtilities().changeSessionIdentifier();
Users user = new LoginDAO().login(username, password);
if (user.isAuthenticated()) {
currentSession = request.getSession(true);
currentSession.invalidate();
HttpSession newSession = request.getSession(true);
} else {
request.setAttribute("loginerr", "username or password is invalid");
request.getRequestDispatcher("login.jsp").forward(request, response);
}
6 – Güvenli Chaptcha
13
7 – getCanonicalPath()
14
getCanonicalPath()
http://www.site.com/getFile.jsp=file=/../../../../etc/passwd
getCanonicalPath(/www/data/site_com/files/../../../../etc/passwd)
/etc/passwd != /www/data/site_com/files/
8 – HTTPS
15
Kimlik doğrulama işlevi barındıran uygulamaların güvenli
kanallar ile iletişim sağlıyor olması gerekir.
9 – Form Token
16
<form name="comment" action="product_comment.jsp?pid=53" method="POST">
Comment: <input type="text" name="comment"/>
<input type="submit" value="Submit"/>
<input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA...">
</form>
10 – Prepared Statement
17
...
String className = request.getParameter("class");
String query = "SELECT * FROM students WHERE class = '" + className + "'";
ResultSet rs = stmt.execute(query);
...
...
String className = request.getParameter("class");
PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE
class=?");
psmt.setString(1, className);
ResultSet rs = psmt.executeQuery();
...
18

Más contenido relacionado

Was ist angesagt?

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh woundBrett Gravois
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually likeEdorian
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Yosuke HASEGAWA
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Ömer Çıtak
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
 
Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTom Janetscheck
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PROIDEA
 

Was ist angesagt? (20)

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
 
Jersey Aquarium Paris
Jersey Aquarium ParisJersey Aquarium Paris
Jersey Aquarium Paris
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
 
Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center Unleashed
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
 

Andere mochten auch

Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...CypSec - Siber Güvenlik Konferansı
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİBGA Cyber Security
 
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıEvren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıCypSec - Siber Güvenlik Konferansı
 
Bilgisayarda Güvenlik ve Tehlikeleri
Bilgisayarda Güvenlik ve TehlikeleriBilgisayarda Güvenlik ve Tehlikeleri
Bilgisayarda Güvenlik ve TehlikeleriBilal Akçay
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3BGA Cyber Security
 

Andere mochten auch (6)

Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
 
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığıEvren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı
 
Bilgisayarda Güvenlik ve Tehlikeleri
Bilgisayarda Güvenlik ve TehlikeleriBilgisayarda Güvenlik ve Tehlikeleri
Bilgisayarda Güvenlik ve Tehlikeleri
 
Yazılım Güvenliği
Yazılım GüvenliğiYazılım Güvenliği
Yazılım Güvenliği
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
 

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği

OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinTobias Zander
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Automate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute BreakAutomate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute BreakSafe Software
 
UA Testing with Selenium and PHPUnit - ZendCon 2013
UA Testing with Selenium and PHPUnit - ZendCon 2013UA Testing with Selenium and PHPUnit - ZendCon 2013
UA Testing with Selenium and PHPUnit - ZendCon 2013Michelangelo van Dam
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and moreWSO2
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebMikel Torres Ugarte
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013Michelangelo van Dam
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Matt Lacey
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği (20)

OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Automate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute BreakAutomate Your FME Server Installs, Take a Five Minute Break
Automate Your FME Server Installs, Take a Five Minute Break
 
UA Testing with Selenium and PHPUnit - ZendCon 2013
UA Testing with Selenium and PHPUnit - ZendCon 2013UA Testing with Selenium and PHPUnit - ZendCon 2013
UA Testing with Selenium and PHPUnit - ZendCon 2013
 
SOA with C, C++, PHP and more
SOA with C, C++, PHP and moreSOA with C, C++, PHP and more
SOA with C, C++, PHP and more
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Is your mobile app as secure as you think?
Is your mobile app as secure as you think?Is your mobile app as secure as you think?
Is your mobile app as secure as you think?
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 

Mehr von CypSec - Siber Güvenlik Konferansı

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...CypSec - Siber Güvenlik Konferansı
 
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? CypSec - Siber Güvenlik Konferansı
 
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıOnur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıCypSec - Siber Güvenlik Konferansı
 
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...CypSec - Siber Güvenlik Konferansı
 
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...CypSec - Siber Güvenlik Konferansı
 

Mehr von CypSec - Siber Güvenlik Konferansı (11)

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...
 
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi? Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?
 
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle SaldırılarıOnur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları
 
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...
 
Yrd. Doç. Dr. Yavuz Erdoğan
Yrd. Doç. Dr. Yavuz ErdoğanYrd. Doç. Dr. Yavuz Erdoğan
Yrd. Doç. Dr. Yavuz Erdoğan
 
Suleyman Özarslan - 2014 Hackerların Yükselişi
Suleyman Özarslan - 2014 Hackerların YükselişiSuleyman Özarslan - 2014 Hackerların Yükselişi
Suleyman Özarslan - 2014 Hackerların Yükselişi
 
Canberk Bolat & Barış Vidin - İzleniyorsunuz
Canberk Bolat & Barış Vidin - İzleniyorsunuzCanberk Bolat & Barış Vidin - İzleniyorsunuz
Canberk Bolat & Barış Vidin - İzleniyorsunuz
 
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...
 
Can Deger - Ben Heykır Olcam
Can Deger - Ben Heykır OlcamCan Deger - Ben Heykır Olcam
Can Deger - Ben Heykır Olcam
 
Canberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android DiyarındaCanberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android Diyarında
 
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)
 

Último

UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 

Último (20)

UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

  • 2. Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2
  • 4. 4 Why is OWASP Special?
  • 5. • OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects
  • 7. 1 - Girdi Denetimi 7 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //uygun olmayan kullanıcı adı }
  • 8. ESAPI ile Girdi Denetimi 8 Validator.Username=^[a-zA-Z0-9]{6,12}$ String username = request.getParameter("username"); boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username", 12, false); if (!booluser) { // uygun olmayan kullanıcı adı }
  • 9. 2-Sanitization 9 String safeMarkup = ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true ); <% String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart., D/Blok, No:5"; String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true); %> <div><%= safeAddressText %></div> <div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>
  • 10. 3 – HttpOnly Cookie 10 Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
  • 11. 4 – Secure Cookie 11 Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly
  • 12. 5 – Oturum Anahtarı 12 ESAPI.httpUtilities().changeSessionIdentifier(); Users user = new LoginDAO().login(username, password); if (user.isAuthenticated()) { currentSession = request.getSession(true); currentSession.invalidate(); HttpSession newSession = request.getSession(true); } else { request.setAttribute("loginerr", "username or password is invalid"); request.getRequestDispatcher("login.jsp").forward(request, response); }
  • 13. 6 – Güvenli Chaptcha 13
  • 15. 8 – HTTPS 15 Kimlik doğrulama işlevi barındıran uygulamaların güvenli kanallar ile iletişim sağlıyor olması gerekir.
  • 16. 9 – Form Token 16 <form name="comment" action="product_comment.jsp?pid=53" method="POST"> Comment: <input type="text" name="comment"/> <input type="submit" value="Submit"/> <input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA..."> </form>
  • 17. 10 – Prepared Statement 17 ... String className = request.getParameter("class"); String query = "SELECT * FROM students WHERE class = '" + className + "'"; ResultSet rs = stmt.execute(query); ... ... String className = request.getParameter("class"); PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE class=?"); psmt.setString(1, className); ResultSet rs = psmt.executeQuery(); ...
  • 18. 18

Hinweis der Redaktion

  1. Why is OWASP Special? Over 43,000 community members worldwide, in over 100 countries Rapid growth over the 12+ years since OWASP’s inception. Demonstrative of our growth as an organization is our revenue which is comes primarily from global conferences such as this as well as memberships. In the last year our revenue grew from just under a million dollars in 2012 to an estimated 1.8 million for the current year. Different from other organizations and conferences because The community Incubator for Ideas and OWASP Projects – Open Source Documentation, Tools, Code Libraries