The document provides an overview of 10 steps for software security according to OWASP-Turkey. It introduces the author Bünyamin Demir and his background and experience in application security. It then discusses key aspects of OWASP and provides code examples for implementing input validation, sanitization, secure cookies, session management, CAPTCHA, path canonicalization, HTTPS, CSRF tokens, and prepared statements.
2. Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2
7. 1 - Girdi Denetimi
7
public boolean validateUsername(String username) {
String usernamePattern = "^[a-zA-Z0-9]{6,12}$";
if (username == null) {
return false;
}
Pattern p = Pattern.compile(usernamePattern);
Matcher m = p.matcher(username);
if (!m.matches()) {
return false;
}
return true;
}
if (!validateUsername(username)) {
//uygun olmayan kullanıcı adı
}
8. ESAPI ile Girdi Denetimi
8
Validator.Username=^[a-zA-Z0-9]{6,12}$
String username = request.getParameter("username");
boolean booluser = ESAPI.validator().isValidInput("User name", username, "Username",
12, false);
if (!booluser) {
// uygun olmayan kullanıcı adı
}
Why is OWASP Special?
Over 43,000 community members worldwide, in over 100 countries
Rapid growth over the 12+ years since OWASP’s inception. Demonstrative of our growth as an organization is our revenue which is comes primarily from global conferences such as this as well as memberships. In the last year our revenue grew from just under a million dollars in 2012 to an estimated 1.8 million for the current year.
Different from other organizations and conferences because
The community
Incubator for Ideas and OWASP Projects – Open Source Documentation, Tools, Code Libraries