Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

6. Mär 2019
3 gefällt mir 862 Aufrufe
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
Wird geladen in …3
×

Hier ansehen

A Starters Guide to Building APIs with Javascript
All Things Open
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
Apigee | Google Cloud
Building APIs with Apigee Edge and Microsoft Azure
Apigee | Google Cloud
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays
Building an API Security Strategy
SmartBear
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Daniel Zivkovic
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Apigee | Google Cloud
1 von 24 Anzeige

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

6. Mär 2019
3 gefällt mir 862 Aufrufe

Herunterladen, um offline zu lesen

Technologie

Tilak T

Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

Tilak T

Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

Technologie
Anzeige

Empfohlen

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon
2.2k Aufrufe
44 Folien
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon
467 Aufrufe
39 Folien
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon
408 Aufrufe
21 Folien
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon
243 Aufrufe
31 Folien
App & API Monitoring: Building a 5-Star Reputation for your Apps
Apigee | Google Cloud
6.1k Aufrufe
26 Folien
I Love APIs 2015: Apigee and Node.js Building Mock Backends Fast
Apigee | Google Cloud
1.2k Aufrufe
22 Folien
apidays LIVE India - The link between technical documentation and developer e...
apidays
920 Aufrufe
13 Folien
apidays LIVE Paris 2021 - API design is where culture and tech meet each othe...
apidays
85 Aufrufe
37 Folien
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

A Starters Guide to Building APIs with Javascript
All Things Open
408 Aufrufe
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
Apigee | Google Cloud
1.8k Aufrufe
Building APIs with Apigee Edge and Microsoft Azure
Apigee | Google Cloud
13.1k Aufrufe
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays
154 Aufrufe
Building an API Security Strategy
SmartBear
941 Aufrufe
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Daniel Zivkovic
300 Aufrufe
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon
249 Aufrufe
Big Apps, Big Data, and Why "Connected Things" are not the IoT
Apigee | Google Cloud
5.3k Aufrufe
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon
198 Aufrufe
Executing on API Developer Experience
SmartBear
1.4k Aufrufe
apidays LIVE Paris 2021 - Automating API Documentation by Ajinkya Marudwar, G...
apidays
150 Aufrufe
Java 8 - Gateway Drug or End of Line?
Garth Gilmour
232 Aufrufe
Apigee Edge Product Demo
Apigee | Google Cloud
8.6k Aufrufe
Developer Services: Making Developers Successful
Apigee | Google Cloud
1.3k Aufrufe
Monitoring Solutions for APIs
Apigee | Google Cloud
815 Aufrufe
Welcome Note by Abhinav Asthana, CEO at Postman
Postman
12.3k Aufrufe
Pain Points In API Development? They’re Everywhere
Nordic APIs
845 Aufrufe
API Design Workflows
Jakub Nesetril
3.5k Aufrufe
A Checklist for Every API Call
Apigee | Google Cloud
4.5k Aufrufe
Unlocking Value From the Internet of Things (IoT) with APIs
Apigee | Google Cloud
1k Aufrufe
A Starters Guide to Building APIs with Javascript
All Things Open
408 Aufrufe
38 Folien
I Love APIs 2015: Implementing an API Tier to Enable a New Mobile Platform
Apigee | Google Cloud
1.8k Aufrufe
33 Folien
Building APIs with Apigee Edge and Microsoft Azure
Apigee | Google Cloud
13.1k Aufrufe
17 Folien
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays
154 Aufrufe
20 Folien
Building an API Security Strategy
SmartBear
941 Aufrufe
19 Folien
Doing more with Static Sites + Transcription and Sentiment Analysis Pipeline ...
Daniel Zivkovic
300 Aufrufe
44 Folien

Ähnlich wie DevSecCon Singapore 2019: Web Services aren’t as secure as we think (20)

DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
927 Aufrufe
Building analytics with event grid
Teemu Tapanila
64 Aufrufe
Know What You Don’t Know - ModusBox Presents the Metrics Dashboard
MuleSoft
396 Aufrufe
Microservices
PT.JUG
2.9k Aufrufe
Presentation1
Vayodya Tamari
190 Aufrufe
Profile of Sastry
Rama Sastry
138 Aufrufe
LJC 2015 "The Crafty Consultants Guide to DevOps"
Daniel Bryant
8.9k Aufrufe
Simple steps and tips to improve IT infrastructure operations #yapcasia #yapc...
Yuichiro Saito
14.1k Aufrufe
(iBeacons) for Recruitment Events (University of Bradford)
Claire Gibbons
836 Aufrufe
Using Learning Data to Predict and Alter Business Outcomes 
Training Industry Conference & Expo
89 Aufrufe
CV@rajat Sujanian
Rajat Kant
153 Aufrufe
Pune meetup 16 feb 2019
Santosh Ojha
473 Aufrufe
WeiYapResume
Chong Wei Yap
412 Aufrufe
BrightEdge Share15 - CM202: Content Marketing Models: Content Mix - Kent Yunk
BrightEdge Technologies
172 Aufrufe
Better delivery with DevOps Driven Development
Jirayut Nimsaeng
1.6k Aufrufe
Cross Platform Angular 2 and TypeScript Development
Jeremy Likness
236 Aufrufe
deliver:Agile 2018 "Continuous Delivery Patterns for Modern Architectures"
Daniel Bryant
2.6k Aufrufe
Microservices - Scaling Development and Service
Paulo Gaspar
483 Aufrufe
Avi Network SDN meetup
Philippe Bogaerts
1k Aufrufe
Prospectus editing at the University of Bristol- an overview:TERMINALFOUR t44...
Terminalfour
1.1k Aufrufe
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
927 Aufrufe
31 Folien
Building analytics with event grid
Teemu Tapanila
64 Aufrufe
28 Folien
Know What You Don’t Know - ModusBox Presents the Metrics Dashboard
MuleSoft
396 Aufrufe
14 Folien
Microservices
PT.JUG
2.9k Aufrufe
59 Folien
Presentation1
Vayodya Tamari
190 Aufrufe
24 Folien
Profile of Sastry
Rama Sastry
138 Aufrufe
4 Folien
Anzeige

Weitere von DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
835 Aufrufe
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon
227 Aufrufe
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon
238 Aufrufe
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
165 Aufrufe
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
266 Aufrufe
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
600 Aufrufe
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
1.9k Aufrufe
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon
312 Aufrufe
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
510 Aufrufe
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon
418 Aufrufe
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
251 Aufrufe
DevSecCon London 2018: Open DevSecOps
DevSecCon
391 Aufrufe
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon
201 Aufrufe
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon
434 Aufrufe
DevSecCon London 2018: Lessons from the legion (the DevSecCon London Remix)
DevSecCon
286 Aufrufe
DevSecCon London 2018: Security in the serverless world
DevSecCon
298 Aufrufe
DevSecCon London 2018: Enabling shift-left for 12k banking developers from sc...
DevSecCon
408 Aufrufe
DevSecCon London 2018: Whatever happened to attack aware applications?
DevSecCon
191 Aufrufe
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
DevSecCon
250 Aufrufe
DevSecCon London 2018: Securing a web app: business security VS the OWASP top 10
DevSecCon
162 Aufrufe
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
835 Aufrufe
30 Folien
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon
227 Aufrufe
50 Folien
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon
238 Aufrufe
39 Folien
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
165 Aufrufe
57 Folien
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
266 Aufrufe
15 Folien
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
600 Aufrufe
88 Folien

Aktuellste (20)

MS Word 5.pptx
rubben7
0 Aufrufe
Proposal.pptx
SomaiaOsama1
0 Aufrufe
HAPTIC TECHNOLOGY .pptx
NibinJohn2
0 Aufrufe
Lesson 1- Get Started With Your First Computer 1.pptx
rubben7
0 Aufrufe
prace_days_ml_2019.pptx
ssuserf583ac
0 Aufrufe
big-data-notes1.ppt
SutanuGhosal1
0 Aufrufe
contourlines-161212065738.pdf
shucaybcabdi
0 Aufrufe
Maps-and-map-interpretation.docx
shucaybcabdi
0 Aufrufe
Cloud Native Ninja - PT3 - Containerize DOTNET apps.pdf
Nilesh Gule
0 Aufrufe
1605005768-topograph (1).pdf
shucaybcabdi
0 Aufrufe
MS Word 6.pptx
rubben7
0 Aufrufe
SOLAR SYSTEM Grid Types.pptx
Ehsan ul Haq
0 Aufrufe
Lesson 2 Information Systems.pptx
rubben7
0 Aufrufe
OS_Ch05.pdf
ismailsaleh63
0 Aufrufe
Lesson 24- Excel Lesson 9.pptx
rubben7
0 Aufrufe
Hacking Presentation.pptx
Midhun
0 Aufrufe
SOLAR GRID SYSTEM.pdf
Ehsan ul Haq
0 Aufrufe
react-hooks.pdf
chengbo xu
0 Aufrufe
Solutions Architect's Handbook 2nd Edition - Book Review
Ashraf Fouad
0 Aufrufe
UC13.Chapter.01.ppsx
umair960210
0 Aufrufe
MS Word 5.pptx
rubben7
0 Aufrufe
16 Folien
Proposal.pptx
SomaiaOsama1
0 Aufrufe
5 Folien
HAPTIC TECHNOLOGY .pptx
NibinJohn2
0 Aufrufe
18 Folien
Lesson 1- Get Started With Your First Computer 1.pptx
rubben7
0 Aufrufe
14 Folien
prace_days_ml_2019.pptx
ssuserf583ac
0 Aufrufe
32 Folien
big-data-notes1.ppt
SutanuGhosal1
0 Aufrufe
22 Folien
Anzeige

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Web Services aren’t as secure as we think Tilak.T
  2. 2. Singapore | 28 Feb - 01 Mar 2019 Yours truly • Senior Solutions Engineer at we45 • Full Stack Developer • Developer of Open-Source • Trainer and Speaker • PSF Member • Part of multiple CTF @ti1akt
  3. 3. Singapore | 28 Feb - 01 Mar 2019 Outline • Why security is important • Unique Vulnerabilities • Demo ! • DevSecOps Pipeline @ti1akt
  4. 4. Singapore | 28 Feb - 01 Mar 2019 Why web services aren't secure @ti1akt
  5. 5. Singapore | 28 Feb - 01 Mar 2019 Ref: https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/ @ti1akt
  6. 6. Singapore | 28 Feb - 01 Mar 2019 Unique Vulnerabilities • JWT Manipulation • Insecure Deserialization • Insecure Direct Object Reference • Etc … @ti1akt
  7. 7. Singapore | 28 Feb - 01 Mar 2019
  8. 8. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  9. 9. Singapore | 28 Feb - 01 Mar 2019 JWT Manipulation OWASP-2017 A5 Broken Access Control @ti1akt
  10. 10. Singapore | 28 Feb - 01 Mar 2019 Why JWT • Stateless Application • Authorization Mechanism • Transfers information between server and client • Scalable and decoupled @ti1akt
  11. 11. Singapore | 28 Feb - 01 Mar 2019 JSON Web Token(JWT) • The process is relatively simple (typically): • Once a user authenticates, the server generates some JSON payload (with some info) and signs the JSON payload with a key • This can be a HMAC Based Key (HS256) or a Asymmetric System (RS256) • The token is sent by the client (like a session cookie) • The server attempts to verify the token based on the signature and allows/disallows the user to perform actions @ti1akt
  12. 12. Singapore | 28 Feb - 01 Mar 2019 Lots of ways to get JWT wrong • Modify the algorithm to `none` • Leakage of sensitive information • Algorithm Confusion • Cracking Secret Keys @ti1akt
  13. 13. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  14. 14. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  15. 15. Singapore | 28 Feb - 01 Mar 2019 Insecure Deserialization OWASP-2017 A5 Broken Access Control @ti1akt
  16. 16. Singapore | 28 Feb - 01 Mar 2019
  17. 17. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  18. 18. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  19. 19. Singapore | 28 Feb - 01 Mar 2019
  20. 20. Singapore | 28 Feb - 01 Mar 2019 Basic Pipeline Demo @ti1akt
  21. 21. Singapore | 28 Feb - 01 Mar 2019 SecDevOps Jenkins pipeline @ti1akt
  22. 22. Singapore | 28 Feb - 01 Mar 2019 @ti1akt
  23. 23. Singapore | 28 Feb - 01 Mar 2019 Abhay Bhargav Rahul Raghavan Sandeep Patil Sharath Kumar Nithin Jois
  24. 24. Singapore | 28 Feb - 01 Mar 2019 Thank You https://github.com/we45/DevSecCon2019 @ti1akt

×