SlideShare ist ein Scribd-Unternehmen logo

Webinar–OWASP Top 10 for JavaScript for Developers

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers." 19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities. For more information, please visit our website at www.synopsys.com/standards

Software
1 von 53
© 2019 Synopsys, Inc.1 OWASP Top 10 for JavaScript Developers Lewis Ardern Senior Security Consultant, Synopsys https://twitter.com/LewisArdern
© 2019 Synopsys, Inc.2 About me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) o Formerly Cigital • AngularSF organizer o https://www.meetup.com/Angular-SF/ • B.Sc. in computer security and ethical hacking o Founder of http://leedshackingsociety.co.uk/ • JavaScript enthusiast!
© 2019 Synopsys, Inc.3 What is the OWASP Top 10? • 10 critical web application security risks • Common flaws and weaknesses • Present in nearly all applications Modern, evidence-based risks (data covers 2014–2017) • 114,000 apps • 9,000 bug bounties • 40 security consultancies and 1 bug bounty firm • 50+ CWEs accepted in raw data Community-chosen risks • 500 survey responses
© 2019 Synopsys, Inc.4 A1:2017 Injection The dangers of mixing data and code
© 2019 Synopsys, Inc.5 NoSQL injection • No SQL injection != No injection in NoSQL • Official documentation says “no SQL injection” • Vulnerable if: o User input includes a Mongo query selector: $ne, $lt, $gt, $eq, $regex, etc. o User input is directly included into a collection method as part of the query: find, findOne, findOneAndUpdate, etc. https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection https://docs.mongodb.com/manual/reference/operator/query/ https://docs.mongodb.com/manual/reference/method/
© 2019 Synopsys, Inc.6 Vulnerable MongoDB log-in example Injection: https://url.to/login?user=admin&pass[$ne]= Query output:
© 2019 Synopsys, Inc.7 Demo MongoDB injection
© 2019 Synopsys, Inc.8 MongoDB injection prevention • Ensure user input is a String inside a collection method https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String • Perform custom data validation https://github.com/hapijs/joi
© 2019 Synopsys, Inc.9
© 2019 Synopsys, Inc.11 Injection prevention • Parameterized mechanisms https://github.com/tediousjs/node-mssql#input-name-type-value https://github.com/mysqljs/mysql#escaping-query-identifiers • Secure APIs https://github.com/tediousjs/node-mssql#prepared-statements • Perform input validation & output encoding https://dev.to/azure/pushing-left-like-a-boss-part-5-1-input-validation-output-encoding-and-parameterized-queries- 2749
© 2019 Synopsys, Inc.12 A2:2017 Broken Authentication Broken authentication and session management
© 2019 Synopsys, Inc.19 Insecure object comparison What happens if you create your own authentication middleware?
© 2019 Synopsys, Inc.20 Comparison table Value Return SESSIONS[ 'invalidString' ] False SESSIONS[ '' ] False SESSIONS[ 'constructor' ] True SESSIONS[ 'hasOwnProperty' ] True
© 2019 Synopsys, Inc.21 What happens when you create an object in JavaScript?
© 2019 Synopsys, Inc.22 Exploit This issue is trivial to exploit. • Using cURL we can simply run the following command: curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, you can just set the document.cookie value via the browser
© 2019 Synopsys, Inc.23 Demo Insecure object comparison
© 2019 Synopsys, Inc.24 How do we correctly check? Use crypto.timingSafeEqual (a, b) • https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b • It provides a safe comparison and prevents timing attacks Object.hasOwnProperty or Map.has do not check base properties • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map/has
© 2019 Synopsys, Inc.25 A3:2017 Sensitive Data Exposure
© 2019 Synopsys, Inc.26 RESTful API data leakage
© 2019 Synopsys, Inc.27 Do not include verbose error messages in JSON • Verbose error messages lead to system information disclosure • Although the client-side application displays a generic error message, the JSON response might still contain full error messages • Malicious users may use a web proxy to read the stack trace output in JSON Caution: Detailed system information might not seem that significant at first sight. However, it can inform attackers on the internals of the system or infrastructure, and help them drive further attacks.
© 2019 Synopsys, Inc.28 Disclosing information via error messages in JSON This code shows an SQL error message passed in JSON and the JavaScript code used to mask it. JavaScript code to handle the error:
© 2019 Synopsys, Inc.29 A4:2017 XML External Entities (XXE)
© 2019 Synopsys, Inc.30 XML external entities (XXE) injection node-expat • 48,353 weekly downloads • Vulnerable by default • No way to configure parser to disable DTD https://help.semmle.com/wiki/display/JS/XML +internal+entity+expansion
© 2019 Synopsys, Inc.31 XML external entities (XXE) injection libxmljs • 47,876 weekly downloads • Vulnerable if noent is set to true https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
© 2019 Synopsys, Inc.32 XML external entities (XXE) vulnerable example Libxmljs can be vulnerable to XXE https://github.com/appsecco/dvna/blob/69f46843c05613d707fa5d036e350cca37deeb19/core/appHandler.js#L235
© 2019 Synopsys, Inc.33 XML injection prevention • Consider using a library that does not process DTDs. https://github.com/isaacs/sax-js • Use libraries with safe defaults, such as libxmljs (apart from its sax parser). https://github.com/libxmljs/libxmljs • If entities such as & or > need to be expanded, use lodash, underscore, or he. https://lodash.com/docs/4.17.11#unescape https://underscorejs.org/#unescape https://github.com/mathiasbynens/he • Alternatively, strict input validation/output encoding must be performed before parsing.
© 2019 Synopsys, Inc.34 A5:2017 Broken Access Control
© 2019 Synopsys, Inc.35 Do not rely on client-side controls • Client-side routing and authorization should only be implemented for user experience • Authentication and authorization controls implemented client-side can be bypassed • All authorization, authentication, and business logic controls must be enforced server-side: o npm packages: https://github.com/casbin/node-casbin o Frameworks: https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions o Writing custom middleware:
© 2019 Synopsys, Inc.36 Angular example Angular route guards are for Boolean display aesthetics https://angular.io/guide/router#milestone-5-route- guards https://nvisium.com/blog/2019/01/17/angular-for- pentesters-part-2.html
© 2019 Synopsys, Inc.37 A6:2017 Security Misconfiguration
© 2019 Synopsys, Inc.38 Ensure Node is not running in development mode NodeJS applications run in development mode by default. • NodeJS and most frameworks that run on it return verbose errors if left in development mode: • When deploying to production, set the NODE_ENV variable to a value other than development to avoid verbose errors: https://expressjs.com/en/advanced/best-practice-performance.html
© 2019 Synopsys, Inc.39 Ensure Node is not running with sudo privileges A Node.js application running with sudo privileges has a greater chance of modifying the underlying server system through malicious code execution. • On Linux systems, sudo is required to bind to ports under 1000 (e.g., 80) • If sudo is required, after the port has been bound, change the privileges to a less privileged user and group: https://nodejs.org/api/process.html
© 2019 Synopsys, Inc.40 A7:2017 Cross-Site Scripting (XSS)
© 2019 Synopsys, Inc.41 XSS is easy to introduce Script execution: http://www.vulnerable.site#userName=<img src=x onerror='alert(document.domain)'>
© 2019 Synopsys, Inc.42 XSS prevention is HARD • DOM XSS is hard to prevent in today’s developer ecosystem https://hackerone.com/reports/158853 https://hackerone.com/reports/405191 https://hackerone.com/reports/164821 • Each browser parses and renders HTML differently https://www.youtube.com/watch?v=lG7U3fuNw3A http://shazzer.co.uk • Various execution contexts and character sets https://html5sec.org https://github.com/cure53/XSSChallengeWiki/wiki/Puzzle-1-on-kcal.pw http://polyglot.innerht.ml/ Script Gadgets https://github.com/google/security-research-pocs/tree/master/script-gadgets
© 2019 Synopsys, Inc.43 Frameworks reduce the attack surface until… • Combining templating engines, third-party libraries, and frameworks https://jsfiddle.net/015jxu8s/ • Disabling security controls https://docs.angularjs.org/api/ng/provider/$sceProvider • Using insecure APIs trustAs, v-html, bypassSecurityTrust, or dangerouslySetInnerHTML • Allowing JavaScript URIs in <a href=""></a> https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 • Direct access to the DOM https://angular.io/api/core/ElementRef • Server-side rendering https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications- 2bdffbcc1fa0 • Caching mechanisms such as $templateCache https://docs.angularjs.org/guide/security Note: This is not an exhaustive list.
© 2019 Synopsys, Inc.44 Signal creates a lot of noise
© 2019 Synopsys, Inc.45 What went wrong? Signal developers used dangerouslySetInnerHTML for phone and desktop, leading to RCE in the desktop and cross-site scripting (XSS) in iOS/Android.
© 2019 Synopsys, Inc.46 General prevention techniques • Libraries and frameworks for automatic output encoding and sanitization: Pug, Mustache, EJS – Angular, React ,Vue – secure-filters • Sanitization for HTML, MathML, and SVG with DOMPurify https://github.com/cure53/DOMPurify • Default to safe APIs • innerText • encodeURI
© 2019 Synopsys, Inc.47 Apply defence-in-depth strategies • Create a strong Content Security Policy (CSP) https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation https://twitter.com/LewisArdern/status/1112926476498698240 https://csp.withgoogle.com • Experiment with Trusted Types https://developers.google.com/web/updates/2019/02/trusted-types
© 2019 Synopsys, Inc.48 A8:2017 Insecure Deserialization
© 2019 Synopsys, Inc.49 Insecure deserialization • JSON.stringify and JSON.parse is a form of deserialization • Prototype pollution https://snyk.io/blog/after-three-years-of-silence-a-new- jquery-prototype-pollution-vulnerability-emerges-once- again/ • JavaScript third-party libraries introduce insecure deserialization issues • node-serialize • serialize-to-js (fixed)
© 2019 Synopsys, Inc.50 Avoid unsafe deserialization Node.js applications are vulnerable to RCE (remote code execution) exploits if attacker-controlled data is deserialized via reflection. • Avoid passing untrusted data to deserialization functions • Apply security patches for software that contains known deserialization vulnerabilities • Encrypt or hash serialized objects • Prevents tampering, but not replay • Check the object type is as expected https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
© 2019 Synopsys, Inc.51 Eval is evil new Function, setTimeout, and setInterval also dynamically evaluate JavaScript. • The core issue behind node-serialize is the use of eval: https://github.com/luin/serialize/blob/master/lib/serialize.js#L76
© 2019 Synopsys, Inc.52 A9:2017 Using Components With Known Vulnerabilities
© 2019 Synopsys, Inc.53 Security issues with third-party components • Perform a security audit against third-party code • If you find a security issue, notify the project maintainer • https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/#open-source-security • Use automated tools to audit dependencies in your CI/CD pipeline:
© 2019 Synopsys, Inc.54 Examples of components with known vulnerabilities Lodash, CVE-2018-3721 (prototype pollution): Impact in some cases was denial of service (DoS), remote code execution (RCE), and even bypass security controls Next.js, CVE-2018-6184 (directory traversal): Allowed for arbitrary read of the file system Next.js, CVE-2018-18282 (cross-site scripting, XSS): Allowed for XSS on the /_error page Auth0.js, CVE-2018-6873 (privilege escalation): Did not validate JWT audience, which allowed for privilege escalation Kibana, CVE-2018-17246 (arbitrary command injection): Allowed for arbitrary command execution in the console plugin
© 2019 Synopsys, Inc.55 Mitigation techniques Track use of outdated third-party components and update where necessary • Maintain a technology assets inventory to track components and dependencies https://medium.com/uber-security-privacy/code-provenance-application-security-77ebfa4b6bc5 https://yarnpkg.com/lang/en/docs/cli/why/ and https://yarnpkg.com/lang/en/docs/cli/list https://docs.npmjs.com/cli/ls.html https://bower.io/docs/api/#list • Review the inventory on a regular basis for known vulnerabilities • Track known risks and vulnerabilities in the environment • Develop a process to update, and regression test external components • Pin dependency versions where possible Reduce the risk of another event-stream affecting your organization https://docs.npmjs.com/files/shrinkwrap.json and https://yarnpkg.com/lang/en/docs/yarn-lock
© 2019 Synopsys, Inc.56 A10:2017 Insufficient Logging and Monitoring
© 2019 Synopsys, Inc.57 Insufficient logging and monitoring Insufficient logging and monitoring of computer systems, applications, and networks provide multiple gateways to probes and breaches that can be difficult or impossible to identify and resolve without a viable audit trail. Basic vulnerabilities include: • Unlogged events, such as failed log-in credentials • Locally stored logs without cloud backup • Misconfigurations in firewalls and routing systems • Alerts and subsequent responses that are not handled effectively • Malicious activity alerts not detected in real time Many reported breaches were only discovered years after the first intrusion happened. In the case of one famous university, a data breach from 2008 was not discovered until 2018!
© 2019 Synopsys, Inc.58 Secure logging and monitoring
© 2019 Synopsys, Inc.59 Use Winston to enable secure logging practices • Winston is a logging library that escapes data to prevent log injection: • Winston also provides various built-in security controls, such as content filters: • Resulting in the following output:
© 2019 Synopsys, Inc.60 Thank you! Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40

Empfohlen

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 

Empfohlen

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedSynopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualSynopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Cisco Canada
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingSynopsys Software Integrity Group
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomwarePrathan Phongthiproek
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingKevin Fealey
 
Ecosystem
EcosystemEcosystem
EcosystemMoti Sagey מוטי שגיא
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsSynopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsSynopsys Software Integrity Group
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Cisco DevNet
 

Weitere ähnliche Inhalte

Was ist angesagt?

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...Mail.ru Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Cisco Canada
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingKevin Fealey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 

Was ist angesagt? (18)

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
A Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product TestingA Stratagem on Strategy: Rolling Security Testing into Product Testing
A Stratagem on Strategy: Rolling Security Testing into Product Testing
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 

Ähnlich wie Webinar–OWASP Top 10 for JavaScript for Developers

Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsSynopsys Software Integrity Group
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Cisco DevNet
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsAmazon Web Services
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Sohini Mukherjee
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryMikhail Prudnikov
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)Jessica Deen
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementBlack Duck by Synopsys
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security MisconceptionMatthew Ong
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps ZNetLive
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
DevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseDevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseCisco DevNet
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 

Ähnlich wie Webinar–OWASP Top 10 for JavaScript for Developers (20)

Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
Microservices & Serverless Architecture Principles Applied - Cisco Live Orlan...
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Common Security Misconception
Common Security MisconceptionCommon Security Misconception
Common Security Misconception
 
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
Webinar by ZNetLive & Plesk- Winning the Game for WebOps and DevOps
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
DevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseDevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash course
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
 

Mehr von Synopsys Software Integrity Group

Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileSynopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Synopsys Software Integrity Group
 

Mehr von Synopsys Software Integrity Group (13)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 

Kürzlich hochgeladen

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 

Kürzlich hochgeladen (20)

Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 

Webinar–OWASP Top 10 for JavaScript for Developers

  • 1. © 2019 Synopsys, Inc.1 OWASP Top 10 for JavaScript Developers Lewis Ardern Senior Security Consultant, Synopsys https://twitter.com/LewisArdern
  • 2. © 2019 Synopsys, Inc.2 About me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) o Formerly Cigital • AngularSF organizer o https://www.meetup.com/Angular-SF/ • B.Sc. in computer security and ethical hacking o Founder of http://leedshackingsociety.co.uk/ • JavaScript enthusiast!
  • 3. © 2019 Synopsys, Inc.3 What is the OWASP Top 10? • 10 critical web application security risks • Common flaws and weaknesses • Present in nearly all applications Modern, evidence-based risks (data covers 2014–2017) • 114,000 apps • 9,000 bug bounties • 40 security consultancies and 1 bug bounty firm • 50+ CWEs accepted in raw data Community-chosen risks • 500 survey responses
  • 4. © 2019 Synopsys, Inc.4 A1:2017 Injection The dangers of mixing data and code
  • 5. © 2019 Synopsys, Inc.5 NoSQL injection • No SQL injection != No injection in NoSQL • Official documentation says “no SQL injection” • Vulnerable if: o User input includes a Mongo query selector: $ne, $lt, $gt, $eq, $regex, etc. o User input is directly included into a collection method as part of the query: find, findOne, findOneAndUpdate, etc. https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection https://docs.mongodb.com/manual/reference/operator/query/ https://docs.mongodb.com/manual/reference/method/
  • 6. © 2019 Synopsys, Inc.6 Vulnerable MongoDB log-in example Injection: https://url.to/login?user=admin&pass[$ne]= Query output:
  • 7. © 2019 Synopsys, Inc.7 Demo MongoDB injection
  • 8. © 2019 Synopsys, Inc.8 MongoDB injection prevention • Ensure user input is a String inside a collection method https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String • Perform custom data validation https://github.com/hapijs/joi
  • 10. © 2019 Synopsys, Inc.11 Injection prevention • Parameterized mechanisms https://github.com/tediousjs/node-mssql#input-name-type-value https://github.com/mysqljs/mysql#escaping-query-identifiers • Secure APIs https://github.com/tediousjs/node-mssql#prepared-statements • Perform input validation & output encoding https://dev.to/azure/pushing-left-like-a-boss-part-5-1-input-validation-output-encoding-and-parameterized-queries- 2749
  • 11. © 2019 Synopsys, Inc.12 A2:2017 Broken Authentication Broken authentication and session management
  • 12. © 2019 Synopsys, Inc.19 Insecure object comparison What happens if you create your own authentication middleware?
  • 13. © 2019 Synopsys, Inc.20 Comparison table Value Return SESSIONS[ 'invalidString' ] False SESSIONS[ '' ] False SESSIONS[ 'constructor' ] True SESSIONS[ 'hasOwnProperty' ] True
  • 14. © 2019 Synopsys, Inc.21 What happens when you create an object in JavaScript?
  • 15. © 2019 Synopsys, Inc.22 Exploit This issue is trivial to exploit. • Using cURL we can simply run the following command: curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, you can just set the document.cookie value via the browser
  • 16. © 2019 Synopsys, Inc.23 Demo Insecure object comparison
  • 17. © 2019 Synopsys, Inc.24 How do we correctly check? Use crypto.timingSafeEqual (a, b) • https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b • It provides a safe comparison and prevents timing attacks Object.hasOwnProperty or Map.has do not check base properties • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map/has
  • 18. © 2019 Synopsys, Inc.25 A3:2017 Sensitive Data Exposure
  • 19. © 2019 Synopsys, Inc.26 RESTful API data leakage
  • 20. © 2019 Synopsys, Inc.27 Do not include verbose error messages in JSON • Verbose error messages lead to system information disclosure • Although the client-side application displays a generic error message, the JSON response might still contain full error messages • Malicious users may use a web proxy to read the stack trace output in JSON Caution: Detailed system information might not seem that significant at first sight. However, it can inform attackers on the internals of the system or infrastructure, and help them drive further attacks.
  • 21. © 2019 Synopsys, Inc.28 Disclosing information via error messages in JSON This code shows an SQL error message passed in JSON and the JavaScript code used to mask it. JavaScript code to handle the error:
  • 22. © 2019 Synopsys, Inc.29 A4:2017 XML External Entities (XXE)
  • 23. © 2019 Synopsys, Inc.30 XML external entities (XXE) injection node-expat • 48,353 weekly downloads • Vulnerable by default • No way to configure parser to disable DTD https://help.semmle.com/wiki/display/JS/XML +internal+entity+expansion
  • 24. © 2019 Synopsys, Inc.31 XML external entities (XXE) injection libxmljs • 47,876 weekly downloads • Vulnerable if noent is set to true https://help.semmle.com/wiki/display/JS/XML+external+entity+expansion
  • 25. © 2019 Synopsys, Inc.32 XML external entities (XXE) vulnerable example Libxmljs can be vulnerable to XXE https://github.com/appsecco/dvna/blob/69f46843c05613d707fa5d036e350cca37deeb19/core/appHandler.js#L235
  • 26. © 2019 Synopsys, Inc.33 XML injection prevention • Consider using a library that does not process DTDs. https://github.com/isaacs/sax-js • Use libraries with safe defaults, such as libxmljs (apart from its sax parser). https://github.com/libxmljs/libxmljs • If entities such as &amp; or &gt; need to be expanded, use lodash, underscore, or he. https://lodash.com/docs/4.17.11#unescape https://underscorejs.org/#unescape https://github.com/mathiasbynens/he • Alternatively, strict input validation/output encoding must be performed before parsing.
  • 27. © 2019 Synopsys, Inc.34 A5:2017 Broken Access Control
  • 28. © 2019 Synopsys, Inc.35 Do not rely on client-side controls • Client-side routing and authorization should only be implemented for user experience • Authentication and authorization controls implemented client-side can be bypassed • All authorization, authentication, and business logic controls must be enforced server-side: o npm packages: https://github.com/casbin/node-casbin o Frameworks: https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions o Writing custom middleware:
  • 29. © 2019 Synopsys, Inc.36 Angular example Angular route guards are for Boolean display aesthetics https://angular.io/guide/router#milestone-5-route- guards https://nvisium.com/blog/2019/01/17/angular-for- pentesters-part-2.html
  • 30. © 2019 Synopsys, Inc.37 A6:2017 Security Misconfiguration
  • 31. © 2019 Synopsys, Inc.38 Ensure Node is not running in development mode NodeJS applications run in development mode by default. • NodeJS and most frameworks that run on it return verbose errors if left in development mode: • When deploying to production, set the NODE_ENV variable to a value other than development to avoid verbose errors: https://expressjs.com/en/advanced/best-practice-performance.html
  • 32. © 2019 Synopsys, Inc.39 Ensure Node is not running with sudo privileges A Node.js application running with sudo privileges has a greater chance of modifying the underlying server system through malicious code execution. • On Linux systems, sudo is required to bind to ports under 1000 (e.g., 80) • If sudo is required, after the port has been bound, change the privileges to a less privileged user and group: https://nodejs.org/api/process.html
  • 33. © 2019 Synopsys, Inc.40 A7:2017 Cross-Site Scripting (XSS)
  • 34. © 2019 Synopsys, Inc.41 XSS is easy to introduce Script execution: http://www.vulnerable.site#userName=<img src=x onerror='alert(document.domain)'>
  • 35. © 2019 Synopsys, Inc.42 XSS prevention is HARD • DOM XSS is hard to prevent in today’s developer ecosystem https://hackerone.com/reports/158853 https://hackerone.com/reports/405191 https://hackerone.com/reports/164821 • Each browser parses and renders HTML differently https://www.youtube.com/watch?v=lG7U3fuNw3A http://shazzer.co.uk • Various execution contexts and character sets https://html5sec.org https://github.com/cure53/XSSChallengeWiki/wiki/Puzzle-1-on-kcal.pw http://polyglot.innerht.ml/ Script Gadgets https://github.com/google/security-research-pocs/tree/master/script-gadgets
  • 36. © 2019 Synopsys, Inc.43 Frameworks reduce the attack surface until… • Combining templating engines, third-party libraries, and frameworks https://jsfiddle.net/015jxu8s/ • Disabling security controls https://docs.angularjs.org/api/ng/provider/$sceProvider • Using insecure APIs trustAs, v-html, bypassSecurityTrust, or dangerouslySetInnerHTML • Allowing JavaScript URIs in <a href=""></a> https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 • Direct access to the DOM https://angular.io/api/core/ElementRef • Server-side rendering https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications- 2bdffbcc1fa0 • Caching mechanisms such as $templateCache https://docs.angularjs.org/guide/security Note: This is not an exhaustive list.
  • 37. © 2019 Synopsys, Inc.44 Signal creates a lot of noise
  • 38. © 2019 Synopsys, Inc.45 What went wrong? Signal developers used dangerouslySetInnerHTML for phone and desktop, leading to RCE in the desktop and cross-site scripting (XSS) in iOS/Android.
  • 39. © 2019 Synopsys, Inc.46 General prevention techniques • Libraries and frameworks for automatic output encoding and sanitization: Pug, Mustache, EJS – Angular, React ,Vue – secure-filters • Sanitization for HTML, MathML, and SVG with DOMPurify https://github.com/cure53/DOMPurify • Default to safe APIs • innerText • encodeURI
  • 40. © 2019 Synopsys, Inc.47 Apply defence-in-depth strategies • Create a strong Content Security Policy (CSP) https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation https://twitter.com/LewisArdern/status/1112926476498698240 https://csp.withgoogle.com • Experiment with Trusted Types https://developers.google.com/web/updates/2019/02/trusted-types
  • 41. © 2019 Synopsys, Inc.48 A8:2017 Insecure Deserialization
  • 42. © 2019 Synopsys, Inc.49 Insecure deserialization • JSON.stringify and JSON.parse is a form of deserialization • Prototype pollution https://snyk.io/blog/after-three-years-of-silence-a-new- jquery-prototype-pollution-vulnerability-emerges-once- again/ • JavaScript third-party libraries introduce insecure deserialization issues • node-serialize • serialize-to-js (fixed)
  • 43. © 2019 Synopsys, Inc.50 Avoid unsafe deserialization Node.js applications are vulnerable to RCE (remote code execution) exploits if attacker-controlled data is deserialized via reflection. • Avoid passing untrusted data to deserialization functions • Apply security patches for software that contains known deserialization vulnerabilities • Encrypt or hash serialized objects • Prevents tampering, but not replay • Check the object type is as expected https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
  • 44. © 2019 Synopsys, Inc.51 Eval is evil new Function, setTimeout, and setInterval also dynamically evaluate JavaScript. • The core issue behind node-serialize is the use of eval: https://github.com/luin/serialize/blob/master/lib/serialize.js#L76
  • 45. © 2019 Synopsys, Inc.52 A9:2017 Using Components With Known Vulnerabilities
  • 46. © 2019 Synopsys, Inc.53 Security issues with third-party components • Perform a security audit against third-party code • If you find a security issue, notify the project maintainer • https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/#open-source-security • Use automated tools to audit dependencies in your CI/CD pipeline:
  • 47. © 2019 Synopsys, Inc.54 Examples of components with known vulnerabilities Lodash, CVE-2018-3721 (prototype pollution): Impact in some cases was denial of service (DoS), remote code execution (RCE), and even bypass security controls Next.js, CVE-2018-6184 (directory traversal): Allowed for arbitrary read of the file system Next.js, CVE-2018-18282 (cross-site scripting, XSS): Allowed for XSS on the /_error page Auth0.js, CVE-2018-6873 (privilege escalation): Did not validate JWT audience, which allowed for privilege escalation Kibana, CVE-2018-17246 (arbitrary command injection): Allowed for arbitrary command execution in the console plugin
  • 48. © 2019 Synopsys, Inc.55 Mitigation techniques Track use of outdated third-party components and update where necessary • Maintain a technology assets inventory to track components and dependencies https://medium.com/uber-security-privacy/code-provenance-application-security-77ebfa4b6bc5 https://yarnpkg.com/lang/en/docs/cli/why/ and https://yarnpkg.com/lang/en/docs/cli/list https://docs.npmjs.com/cli/ls.html https://bower.io/docs/api/#list • Review the inventory on a regular basis for known vulnerabilities • Track known risks and vulnerabilities in the environment • Develop a process to update, and regression test external components • Pin dependency versions where possible Reduce the risk of another event-stream affecting your organization https://docs.npmjs.com/files/shrinkwrap.json and https://yarnpkg.com/lang/en/docs/yarn-lock
  • 49. © 2019 Synopsys, Inc.56 A10:2017 Insufficient Logging and Monitoring
  • 50. © 2019 Synopsys, Inc.57 Insufficient logging and monitoring Insufficient logging and monitoring of computer systems, applications, and networks provide multiple gateways to probes and breaches that can be difficult or impossible to identify and resolve without a viable audit trail. Basic vulnerabilities include: • Unlogged events, such as failed log-in credentials • Locally stored logs without cloud backup • Misconfigurations in firewalls and routing systems • Alerts and subsequent responses that are not handled effectively • Malicious activity alerts not detected in real time Many reported breaches were only discovered years after the first intrusion happened. In the case of one famous university, a data breach from 2008 was not discovered until 2018!
  • 51. © 2019 Synopsys, Inc.58 Secure logging and monitoring
  • 52. © 2019 Synopsys, Inc.59 Use Winston to enable secure logging practices • Winston is a logging library that escapes data to prevent log injection: • Winston also provides various built-in security controls, such as content filters: • Resulting in the following output:
  • 53. © 2019 Synopsys, Inc.60 Thank you! Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40