Bünyamin Demir - 10 Adımda Yazılım Güvenliği

•Als PPTX, PDF herunterladen•

6 gefällt mir•1,602 views

The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.

Technologie

10 Adımda
Yazılım Güvenliği
OWASP-Turkey
Bünyamin Demir

Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2

• OWASP Top 10
• OWASP Zed Attack Proxy (ZAP)
• OpenSAMM
• Cheat Sheets
• ESAPI
• ASVS
• Testing Guide
• Development Guide
5
OWASP Projects

6
Application Security Verification Standart

$1 - Girdi Denetimi 7 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //uygun olmayan kullanıcı adı }$

$ESAPI ile Girdi Denetimi 8 Validator.Username=^[a-zA-Z0-9]{6,12}$ String username = request.getParameter("username"); boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username", 12, false); if (!booluser) { // uygun olmayan kullanıcı adı }$

2-Sanitization
9
String safeMarkup = ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true );
<%
String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart.,
D/Blok, No:5";
String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true);
%>
<div><%= safeAddressText %></div>
<div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>

3 – HttpOnly Cookie
10
Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly;
Domain=www.site.com; Path=/; Secure; HttpOnly

4 – Secure Cookie
11
Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com;
Path=/; Secure; HttpOnly

5 – Oturum Anahtarı
12
ESAPI.httpUtilities().changeSessionIdentifier();
Users user = new LoginDAO().login(username, password);
if (user.isAuthenticated()) {
currentSession = request.getSession(true);
currentSession.invalidate();
HttpSession newSession = request.getSession(true);
} else {
request.setAttribute("loginerr", "username or password is invalid");
request.getRequestDispatcher("login.jsp").forward(request, response);
}

7 – getCanonicalPath()
14
getCanonicalPath()
http://www.site.com/getFile.jsp=file=/../../../../etc/passwd
getCanonicalPath(/www/data/site_com/files/../../../../etc/passwd)
/etc/passwd != /www/data/site_com/files/

8 – HTTPS
15
Kimlik doğrulama işlevi barındıran uygulamaların güvenli
kanallar ile iletişim sağlıyor olması gerekir.

9 – Form Token
16
<form name="comment" action="product_comment.jsp?pid=53" method="POST">
Comment: <input type="text" name="comment"/>
<input type="submit" value="Submit"/>
<input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA...">
</form>

10 – Prepared Statement
17
...
String className = request.getParameter("class");
String query = "SELECT * FROM students WHERE class = '" + className + "'";
ResultSet rs = stmt.execute(query);
...
...
String className = request.getParameter("class");
PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE
class=?");
psmt.setString(1, className);
ResultSet rs = psmt.executeQuery();
...

Weitere ähnliche Inhalte

Was ist angesagt?

Preventing XSS with Content Security Policy

Ksenia Peguero

Content Security Policy - The application security Swiss Army Knife

Scott Helme

Content Security Policy

Ryan LaBouve

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere. This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.

Integrity protection for third-party JavaScript

Francois Marier

If you make a list of popular JavaScript MVC frameworks, AngularJS is probably at the top of the list. Developers around the world are crazy about the Angular way of doing things, and love how easy it is to write AngularJS applications. However, few people know that AngularJS packs a lot security features, right out of the box. Unfortunately, because many developers are not aware of these security features, they are often unintentionally circumvented, or not used to their full potential. For example, think about common advice on Stack Overflow to turn off the protection against cross-site scripting (XSS) attacks, just so you can directly bind HTML data to a variable. In this session, you will learn how to leverage AngularJS' security features to their full potential. Specifically, you will learn how AngularJS applies Strict Contextual Escaping (SCE) against XSS attacks, and how to relax that protection in a safe way (instead of turning it off). We also cover the advanced Content Security Policy (CSP). We mainly focus on AngularJS 1.x, but also relate the concepts to AngularJS 2 where relevant.

Are you botching the security of your AngularJS applications? (DevFest 2016)

Philippe De Ryck

Securing Java EE Web Apps

Frank Kim

JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud

Arun Gupta

Web Security - CSP & Web Cryptography

Samsung Open Source Group

In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...

PROIDEA

Its just a flesh wound

Brett Gravois

Nginx - The webserver you might actually like

Edorian

Jersey Aquarium Paris

Alexis Moussine-Pouchkine

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

Yosuke HASEGAWA

Memcache Injection (Hacktrick'15)

Ömer Çıtak

Defeating Cross-Site Scripting with Content Security Policy (updated)

Francois Marier

Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/

10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...

Matt Raible

Back in the days, when blocking network traffic was enough to prevent attackers from accessing corporate content, life was easy. You could be sure that your physical datacenter walls built your perimeter, so you simply needed to protect your borders. But nowadays, when we see an increasing amount of phishing, spear phishing and credential theft attacks against corporate environments, it’s no longer sufficient to only take care of network and data security.Today, it's more important than ever to protect and securely manage identities in the cloud and on-premises, and to make sure to be informed as soon as someone tries to get hold of them.

Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane

Tom Janetscheck

Techorama 2019 - Azure Security Center Unleashed

Tom Janetscheck

W3C Content Security Policy

Markus Wichmann

Od dłuższego czasu obserwujemy trend , w którym wielkie monolityczne aplikacje ustępują miejsca dziesiątkom zależnych od siebie mikroserwisów. Nie tylko architektura systemów ulega zmianie - równie dużą różnicą jest sposób w jaki „żyje” taki system IT, a może bardziej dokładnie: „jak bardzo żyje”. Wszystkie te zmiany prowadzą do tego, że sposób zapewniania bezpieczeństwa w takim ekosystemie musi być w stanie dostosowywać się z dnia na dzień. Przedstawione zostaną techniki, które mogą zostać wykorzystane w każdym łańcuchu dostarczania oprogramowania w środowisku operatora telekomunikacyjnego, które w konkretny sposób udostępnią nam informację na temat poziomu bezpieczeństwa aplikacji, która objęta jest wprowadzaną zmianą.

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...

PROIDEA

Was ist angesagt? (20)

Preventing XSS with Content Security Policy

Content Security Policy - The application security Swiss Army Knife

Content Security Policy

Integrity protection for third-party JavaScript

Are you botching the security of your AngularJS applications? (DevFest 2016)

Securing Java EE Web Apps

JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud

Web Security - CSP & Web Cryptography

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...

Its just a flesh wound

Nginx - The webserver you might actually like

Jersey Aquarium Paris

Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014

Memcache Injection (Hacktrick'15)

Defeating Cross-Site Scripting with Content Security Policy (updated)

10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...

Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane

Techorama 2019 - Azure Security Center Unleashed

W3C Content Security Policy

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...

Andere mochten auch

Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...

CypSec - Siber Güvenlik Konferansı

GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ

BGA Cyber Security

Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı

CypSec - Siber Güvenlik Konferansı

Bilgisayarda Güvenlik ve Tehlikeleri

Bilal Akçay

Yazılım Güvenliği

Uğur Tılıkoğlu

Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3

BGA Cyber Security

Andere mochten auch (6)

Emre Tınaztepe - FileLocker Zararlıları (Çalışma Mantıkları ve Analiz Yönteml...

GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ

Evren Yalçın - Fatmagül Ergani - Kurumsal firmalar için hata avcılığı

Bilgisayarda Güvenlik ve Tehlikeleri

Yazılım Güvenliği

Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği

With the latest XSS and CSRF attacks on Twitter, PayPal and Facebook, security is still obviously a very difficult thing to get right. Every 3 years, the open web application security project (OWASP) releases a new Top 10 vulnerabilities, this talk will walk you through 2013s list. I'll present you the possible attack scenarios and how you can protect against them. In addition we'll look at more security issues which are not part of the Top 10, but that you should definitely keep in mind.

OWASP Top 10 at International PHP Conference 2014 in Berlin

Tobias Zander

Application Security around OWASP Top 10

Sastry Tumuluri

Whatever it takes - Fixing SQLIA and XSS in the process

guest3379bd

Connection String Parameter Pollution Attacks

Chema Alonso

Development, testing, and production environments are commonplace in today's technology stacks. These structures ensure that proper testing and quality control are performed for workbenches, scripts, and logic in the final product. Whilst some clients and environments may be able to have this tiered infrastructure managed through separate repositories on one FME Server, this is not always the case. Recently, a project has needed the setup of FME Servers across five environments. In addition, the Azure virtual machines that FME Server are installed on need to be able to be re-imaged through scripts as part of the client's disaster recovery policies. Therefore, the solution to this problem was to write an installation script that coupled with environment specific variables stored in Azure Key Vault, ensures a hands-off, repeatable process to deploy FME Server to a new machine. This script not only ran the FME Server installer, but also configured the database, and ran through numerus post install configuration steps. Subsequently, this script has been adapted to other clients and has been instrumental in supplying rapid deployments of new FME Server versions. This has allowed us to ensure that deployments of FME Server across multiple environments is consistent with the client's requirements.

Automate Your FME Server Installs, Take a Five Minute Break

Safe Software

Nothing is as frustrated as deploying a new release of your web application to find out functionality you had doesn't work anymore. Of course you have all your unit tests in place and you run them through your CI environment, but nothing prepared you to a failing javascript error or a link that doesn't work anymore. Welcome to User Acceptance testing or UAT. Before you start putting real people in front of your application, create macros and export them as PHPUnit test classes. Then run them in an automated way just like your unit tests and hook them into your CI. In this talk I will show you how easy it is to create Selenium macros that can be converted into PHPUnit scripts and run automatically on different virtual machines (VM's) so you can test all different browsers on a diversity of operating systems.

UA Testing with Selenium and PHPUnit - ZendCon 2013

Michelangelo van Dam

SOA with C, C++, PHP and more

WSO2

Slides from a presentation that David Lopez (@lopezator) and me made for the students of the University of the Basque Country (UPV/EHU) where we talk about current technologies and methodologies used in professional web development. CSS3, jQuery, Composer, MVC, Clean Code, Git, etc. are different items we talked about. Some examples shown in the presentation available at: http://ojoven.es/labs/ehu2014/

Charla EHU Noviembre 2014 - Desarrollo Web

Mikel Torres Ugarte

DevSecOps: Let's Write Security Unit Tests

Puma Security, LLC

Security in practice with Java EE 6 and GlassFish

Markus Eisele

The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities. One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems. I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest (=attack) painful, or just rendered the scenarios irrelevant.

Applications secure by default

Slawomir Jasek

Applications secure by default

SecuRing

UA testing with Selenium and PHPUnit - PFCongres 2013

Michelangelo van Dam

With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.

My app is secure... I think

Wim Godden

Slides from talks at DunDDD and NDCLondon. News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way. There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented. That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues. You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.

Is your mobile app as secure as you think?

Matt Lacey

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Fedir RYKHTIK

Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.

Cross Site Scripting (XSS) Defense with Java

Jim Manico

Attacking HTML5

AppSec_Labs

Java EE 6 Security in practice with GlassFish

Markus Eisele

Slides for the #JavaOne Session ID: CON11881

Masoud Kalali

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği (20)

OWASP Top 10 at International PHP Conference 2014 in Berlin

Application Security around OWASP Top 10

Whatever it takes - Fixing SQLIA and XSS in the process

Connection String Parameter Pollution Attacks

Automate Your FME Server Installs, Take a Five Minute Break

UA Testing with Selenium and PHPUnit - ZendCon 2013

SOA with C, C++, PHP and more

Charla EHU Noviembre 2014 - Desarrollo Web

DevSecOps: Let's Write Security Unit Tests

Security in practice with Java EE 6 and GlassFish

Applications secure by default

UA testing with Selenium and PHPUnit - PFCongres 2013

My app is secure... I think

Is your mobile app as secure as you think?

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Cross Site Scripting (XSS) Defense with Java

Attacking HTML5

Java EE 6 Security in practice with GlassFish

Slides for the #JavaOne Session ID: CON11881

Mehr von CypSec - Siber Güvenlik Konferansı

Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Stratejilerinin Oluşumu Geçtiğimiz on yıl içerisinde siber güvenliğin hızlı bir şekilde ülkelerin milli güvenlik politikalarının önemli bir unsuru haline gelmiştir. 2003 yılında ABD ilk kez ulusal siber güvenlik stratejisini yayınlayan ülke olmuştur. 35 farklı ülke de ABD’yi izleyerek siber güvenlik strateji dökümanı hazırlamış ve yayınlamışlardır. Askeri siber operasyonlar, siber suçlarla mücadele, siber casusluk, kritik alt yapı güvenliği, siber diplomasi ve İnternet yönetişimi stratejik siber güvenliğin çeşitli alanları olarak değerlendirilmiştir. Hazırlanan sunumda Hollanda, İngiltere, ABD ve Türkiye’nin siber güvenlik stratejileri incelenerek, her bir ülkenin stratejisini hangi alan üzerine inşa ettiği incelenmiştir.

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...

CypSec - Siber Güvenlik Konferansı

Elektrik kesintisinden kredi kartı hırsızlığına, filmlerden dizilere; siber güvenlik başlığı haberler ve magazin gündeminde baş köşelere yerleşmeye başladı. Peki kurumlar ve devlet yönetimleri hangi alanlara odaklanmalı? Ya da bu başlığın tam adı ne olmalı ve kavram karmaşasına nasıl yaklaşmalıyız? Information Security Forum raporları ile son yıllarda Türkiye ve Dünya'daki kurumların gündeminde en ön sıralarda yer alan başlıklardan yola çıkarak hazırlanan bu sunumda, önümüzdeki yıllarda sadece siber güvenlik camiasının değil, kurum ve devlet yönetimlerinin de odaklanması gereken alanlara ışık tutulmaya çalışılacak.

Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?

CypSec - Siber Güvenlik Konferansı

Uluslararası siber savaşlarda kullanılacak en önemli bileşenlerden biri de son kullanıcıların internet bağlantıları için kullandıkları soho modemlerdir. Bu sistemler genellikle aynı özellikleri taşıdığından tespit edilecek bir açıklık tüm ülkeyi etkileyecektir. Sunum süresince böyle bir kitle saldırısının nasıl gerçekleştirileceği, ev kullanıcılarının modemlerini hedef alan bir ar-ge çalışmasının adımları ve sonuçları üzerinden ele alınacaktır. Çalışmanın içeriğindeki ana başlıklar, belli özelliklerdeki hedeflerin belirlenmesi, etkili bir zafiyetin bulunması, gömülü sistemler (MIPS) gibi farklı zorlukları olan platformlar için istismar kodunun yazılması, toplu istismarı gerçekleştirecek betiklerin yazılması, büyük ölçekli taramalar için performans optimizasyonlarının yapılması olarak sayılabilir.

Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları

CypSec - Siber Güvenlik Konferansı

İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...

CypSec - Siber Güvenlik Konferansı

Yrd. Doç. Dr. Yavuz Erdoğan

CypSec - Siber Güvenlik Konferansı

2014 yılı sistem yöneticileri için kabus, hackerlar için rüya gibi bir yıldı. Geçtiğimiz yıl, Heartbleed, Shellshock, Sandworm, Schannel, POODLE, Drupal SQL enjeksiyonu gibi sıfır-gün ataklarının yanı sıra Dragonfly, Regin, Turla gibi devletlerin sponsor olduğu zararlı yazılım ataklarının adından söz ettirdiği ve Sony, HomeDepot ve Domino's Pizza gibi dev şirketlerin, hatta iCloud üzerinden ünlülerin hacklendiği bir yıl oldu.2014'te 15.000 civarında güvenlik açığı ortaya çıktı, fakat bunlardan sadece %5'inin sömürü kodu var. Peki, bu kadar az istismar kodu varken hackerlar nasıl bu kadar başarılı oluyor? IT departmanlarının korkulu rüyası herkese açık herkese açık istismar kodlarıyla yapılan saldırılar mı, sıfır-gün atakları mı, yoksa zararlı yazılım saldırıları mı? Bu saldırılardan nasıl korunabiliriz? Bütün bu soruların cevaplarını bu sunumda bulacaksınız.

Suleyman Özarslan - 2014 Hackerların Yükselişi

CypSec - Siber Güvenlik Konferansı

Mass surveillance, dinlenmeler, yasadışı yetkisiz erişimler gibi konularla çalkalandığımız bu dönemde mahremiyet ve güvenlik giderek insanların dikkat etmeye çalıştığı bir konu haline geldi. Bu sunumda, Internet ve sosyal medya'nın dogğurdugu mahremiyet ihlalleri ve özel olarak geliştirdiğimiz sosyal medya aracılığı ile istihbarat ve mahremiyet ihlali yöntemleri açıklanacaktır. Artık "geçen yaz ne yaptığınız"dan daha fazlasını, sabah ilk kahvenizi kiminle içtiğinizden, favori mekanlarınıza ve günlük rutinlerinize kadar tüm mahremiyetiniz ifşa oluyor.

Canberk Bolat & Barış Vidin - İzleniyorsunuz

CypSec - Siber Güvenlik Konferansı

Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...

CypSec - Siber Güvenlik Konferansı

Can Deger - Ben Heykır Olcam

CypSec - Siber Güvenlik Konferansı

Canberk Bolat - Alice Android Diyarında

CypSec - Siber Güvenlik Konferansı

Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)

CypSec - Siber Güvenlik Konferansı

Mehr von CypSec - Siber Güvenlik Konferansı (11)

Minhaç Çelik - Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Strate...

Adil Burak Sadıç - Siber Güvenlik mi, Bilgi Güvenliği mi, BT Güvenliği mi?

Onur Alanbel & Ozan Uçar - Ulusal Siber Güvenlikte Kitle Saldırıları

İsmail Burak Tuğrul - Online Bankacılık Uygulamalarında Karlılaşılan Güvenlik...

Yrd. Doç. Dr. Yavuz Erdoğan

Suleyman Özarslan - 2014 Hackerların Yükselişi

Canberk Bolat & Barış Vidin - İzleniyorsunuz

Huzeyfe Önal - SSL, DPI Kavramları Eşliğinde Internet Trafiği İzleme ve Karşı...

Can Deger - Ben Heykır Olcam

Canberk Bolat - Alice Android Diyarında

Can Yıldızlı - Koryak Uzan - Fiziksel Sızma Testi (İntelRad)

Kürzlich hochgeladen

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

DBX First Quarter 2024 Investor Presentation

Dropbox

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

MINDCTI Revenue Release Quarter One 2024

MIND CTI

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Kürzlich hochgeladen (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus

DBX First Quarter 2024 Investor Presentation

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

presentation ICT roal in 21st century education

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Axa Assurance Maroc - Insurer Innovation Award 2024

Exploring the Future Potential of AI-Enabled Smartphone Processors

Powerful Google developer tools for immediate impact! (2023-24 C)

MS Copilot expands with MS Graph connectors

Strategies for Landing an Oracle DBA Job as a Fresher

FWD Group - Insurer Innovation Award 2024

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

MINDCTI Revenue Release Quarter One 2024

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

AWS Community Day CPH - Three problems of Terraform

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

GenAI Risks & Security Meetup 01052024.pdf

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

1. 10 Adımda Yazılım Güvenliği OWASP-Turkey Bünyamin Demir

2. Bünyamin Demir ( @bunyamindemir ) – Lisans Kocaeli Üni. Matematik Bölümü – Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı Güvenliği – Uygulama Geliştirici – OWASP Türkiye Bölüm Lideri – Sızma Testleri Uzmanı • Web, Mobil, Network, SCADA, Wireless, Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi • Kaynak kod analizi – Eğitmen • Web/Mobil Uygulama Güvenlik Denetimi • Güvenli Kod Geliştirme • Veritabanı Güvenliği 2

3. 3 OWASP

4. 4 Why is OWASP Special?

5. • OWASP Top 10 • OWASP Zed Attack Proxy (ZAP) • OpenSAMM • Cheat Sheets • ESAPI • ASVS • Testing Guide • Development Guide 5 OWASP Projects

6. 6 Application Security Verification Standart

7. 1 - Girdi Denetimi 7 public boolean validateUsername(String username) { String usernamePattern = "^[a-zA-Z0-9]{6,12}$"; if (username == null) { return false; } Pattern p = Pattern.compile(usernamePattern); Matcher m = p.matcher(username); if (!m.matches()) { return false; } return true; } if (!validateUsername(username)) { //uygun olmayan kullanıcı adı }

8. ESAPI ile Girdi Denetimi 8 Validator.Username=^[a-zA-Z0-9]{6,12}$ String username = request.getParameter("username"); boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username", 12, false); if (!booluser) { // uygun olmayan kullanıcı adı }

9. 2-Sanitization 9 String safeMarkup = ESAPI.validator().getValidSafeHTML( "Rich Text", richTextInput, 2500, true ); <% String address = "Sumbul mah.,<script>alert(1);</script> kartal sk., manolya sitesi, bahar apart., D/Blok, No:5"; String safeAddressText = ESAPI.validator().getValidSafeHTML("Address Text", address, 200, true); %> <div><%= safeAddressText %></div> <div>Sumbul mah., kartal sk., manolya sitesi, bahar apart., D/Blok, No:5</div>

10. 3 – HttpOnly Cookie 10 Set-cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y72VTv2y4Jyr5zTbV1h1Mc7Lmf4fMg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly

11. 4 – Secure Cookie 11 Set-Cookie: JSESSIONID=p9JtQGHSrTQTzfK8912y7Mg1ly; Domain=www.site.com; Path=/; Secure; HttpOnly

12. 5 – Oturum Anahtarı 12 ESAPI.httpUtilities().changeSessionIdentifier(); Users user = new LoginDAO().login(username, password); if (user.isAuthenticated()) { currentSession = request.getSession(true); currentSession.invalidate(); HttpSession newSession = request.getSession(true); } else { request.setAttribute("loginerr", "username or password is invalid"); request.getRequestDispatcher("login.jsp").forward(request, response); }

13. 6 – Güvenli Chaptcha 13

14. 7 – getCanonicalPath() 14 getCanonicalPath() http://www.site.com/getFile.jsp=file=/../../../../etc/passwd getCanonicalPath(/www/data/site_com/files/../../../../etc/passwd) /etc/passwd != /www/data/site_com/files/

15. 8 – HTTPS 15 Kimlik doğrulama işlevi barındıran uygulamaların güvenli kanallar ile iletişim sağlıyor olması gerekir.

16. 9 – Form Token 16 <form name="comment" action="product_comment.jsp?pid=53" method="POST"> Comment: <input type="text" name="comment"/> <input type="submit" value="Submit"/> <input type="hidden" name="CSRFToken” value="30Dfd45645Ddssdf4567fdfdgAA..."> </form>

17. 10 – Prepared Statement 17 ... String className = request.getParameter("class"); String query = "SELECT * FROM students WHERE class = '" + className + "'"; ResultSet rs = stmt.execute(query); ... ... String className = request.getParameter("class"); PreparedStatement psmt = conn.prepareStatement("SELECT * FROM students WHERE class=?"); psmt.setString(1, className); ResultSet rs = psmt.executeQuery(); ...

18. 18

Hinweis der Redaktion

Why is OWASP Special? Over 43,000 community members worldwide, in over 100 countries Rapid growth over the 12+ years since OWASP’s inception. Demonstrative of our growth as an organization is our revenue which is comes primarily from global conferences such as this as well as memberships. In the last year our revenue grew from just under a million dollars in 2012 to an estimated 1.8 million for the current year. Different from other organizations and conferences because The community Incubator for Ideas and OWASP Projects – Open Source Documentation, Tools, Code Libraries

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği

Ähnlich wie Bünyamin Demir - 10 Adımda Yazılım Güvenliği (20)

Mehr von CypSec - Siber Güvenlik Konferansı

Mehr von CypSec - Siber Güvenlik Konferansı (11)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Bünyamin Demir - 10 Adımda Yazılım Güvenliği

Hinweis der Redaktion