SlideShare ist ein Scribd-Unternehmen logo

Sf startup-security

Michael Coates
Michael Coates
1 von 25
Downloaden Sie, um offline zu lesen
Securing Your Applications Michael Coates mcoates@mozilla.com @_mwc Thursday, May 30, 13
You are a target The attackers are talented and motivated Thursday, May 30, 13
Data Loss: Growing Problem http://datalossdb.org/statistics Thursday, May 30, 13
Data Loss & Breaches from Hacking http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
Data Loss: Outside Attackers http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
Security The Basics • Understand the problem space & challenges • SSL isn’t as easy “https” • You can’t store passwords with just hashing • SQL Injection & Cross Site Scripting should be understood by all developers Thursday, May 30, 13
Where To Start? • Focus on Risk - not vulnerability “flavor of the day” • Reference top risks and customize • OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 1. Injection 2. Broken Authentication & Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Thursday, May 30, 13
Password Storage Thursday, May 30, 13
Password Storage Options • Plain text / Home grown obfuscation • md5 • sha2 (256 / 512) • sha2 with generic salt • sha2 with per user salt • Bcrypt or PBKDF2 https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Weakest Strongest Currently Considered Acceptable Thursday, May 30, 13
SQL Injection Thursday, May 30, 13
SQL Injection Worries • Issue • SQL statements don’t properly handle user supplied data • Users change intent of SQL executed by DB • Risk • Data Compromise • Corruption of Data Thursday, May 30, 13
Into the Details • Intent Select * from users where lastname = ‘+ someVar +’; • Attacker enters: x’ or 1=1-- • Result Select * from users where lastname = ‘+ x’ or 1=1-- +’; • Solution Parameterized Queries Thursday, May 30, 13
Cross Site Scripting Thursday, May 30, 13
<div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> <div> <input type="hidden" name="data[Login][referer]" XSS Example Name:_____ submit Login: ___ Pass: ____ submit to evil site javascript javascript <install malware> (1) Attacker submits malicious code (2) Code is now part of webpage (3) Malicious site steals passwords & installs malware (4) Attacker spreads malicious URL http://site.com/%3cscript%3edocument%2e Thursday, May 30, 13
Tackling Cross Site Scripting • In Code • Output encoding • Context is important - see OWASP XSS Cheat Sheet • Working with browsers to eliminate XSS • Content Security Policy https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet https://developer.mozilla.org/en-US/docs/Security/CSP Thursday, May 30, 13
SSL Thursday, May 30, 13
Insecure Session Management • Secure login over HTTPS • Password submitted encrypted • Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point Request' SessionID:'5593…' Response' SSL# Request' Response' Set'SessionID:'5593…' https://site.com/login http://site.com/profile Thursday, May 30, 13
Insecure Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point SSL# Get$http://mybank.com$ 302$Redirect$ Location:$https://mybank.com$ Get$https://mybank.com$ 200$Found$ mybank.com Thursday, May 30, 13
Secure Design for Communication • HTTP Strict Transport Security (HSTS) • Opt-in security control • Website instructs compatible browser to enable STS for site • HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates Thursday, May 30, 13
Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites SSL# Get$$ http://mybank.com$ Get$https://mybank.com$ 200$Found$ HSTS# Thursday, May 30, 13
Building a Security Culture Thursday, May 30, 13
Security Culture • Set guidelines that are usable • Ensure security is a priority, not a “tax” • Security can live in all stages: • Planning, Dev, QA, Deployment, Monitoring https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Thursday, May 30, 13
Tools to Assist • Free • OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets • Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project • Extensive OWASP guidelines - owasp.org • Professional Tools • Static / Dynamic Analysis • Security Architecture Reviews • Ongoing or point-in-time penetration tests Thursday, May 30, 13
Take Aways • Security is a concern for your business • Tackle security fundamentals • Build a culture of security & leverage available resources Thursday, May 30, 13
Thanks! mcoates@mozilla.com @_mwc Thursday, May 30, 13

Empfohlen

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 

Empfohlen

Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Emily Stark
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and SaltingRahul Singh
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 
Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Xss
XssXss
XssRajendra Dangwal
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes Thang Tran Duc
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attacksecurityxploded
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdfAdityaKumar1548
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2masaaki komori
 
第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628Akihiro Okuno
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it meanMetaKave
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes Thang Tran Duc
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 

Was ist angesagt? (20)

Web site hacking;what does it mean
Web site hacking;what does it meanWeb site hacking;what does it mean
Web site hacking;what does it mean
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss
XssXss
Xss
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdf
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 

Andere mochten auch

これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2masaaki komori
 
第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628Akihiro Okuno
 
産総研におけるプライベートクラウドへの取り組み
産総研におけるプライベートクラウドへの取り組み産総研におけるプライベートクラウドへの取り組み
産総研におけるプライベートクラウドへの取り組みRyousei Takano
 
⑧Unityを使ってみよう(その2)
⑧Unityを使ってみよう(その2)⑧Unityを使ってみよう(その2)
⑧Unityを使ってみよう(その2)Nishida Kansuke
 
Domstolsverkets svar-riksrevisionen
Domstolsverkets svar-riksrevisionenDomstolsverkets svar-riksrevisionen
Domstolsverkets svar-riksrevisionenJohan Westerholm
 
デザイン・制作をはじめる前に
取り組む事
デザイン・制作をはじめる前に
取り組む事デザイン・制作をはじめる前に
取り組む事
デザイン・制作をはじめる前に
取り組む事kenji goto
 

Andere mochten auch (6)

これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2これからはじめるCoda2とSublime Text 2
これからはじめるCoda2とSublime Text 2
 
第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628第一回Mongo dbソースコードリーディング 20110628
第一回Mongo dbソースコードリーディング 20110628
 
産総研におけるプライベートクラウドへの取り組み
産総研におけるプライベートクラウドへの取り組み産総研におけるプライベートクラウドへの取り組み
産総研におけるプライベートクラウドへの取り組み
 
⑧Unityを使ってみよう(その2)
⑧Unityを使ってみよう(その2)⑧Unityを使ってみよう(その2)
⑧Unityを使ってみよう(その2)
 
Domstolsverkets svar-riksrevisionen
Domstolsverkets svar-riksrevisionenDomstolsverkets svar-riksrevisionen
Domstolsverkets svar-riksrevisionen
 
デザイン・制作をはじめる前に
取り組む事
デザイン・制作をはじめる前に
取り組む事デザイン・制作をはじめる前に
取り組む事
デザイン・制作をはじめる前に
取り組む事
 

Ähnlich wie Sf startup-security

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Web application security
Web application securityWeb application security
Web application securityAkhil Raj
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure softwarelogsentinel
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Securitysandra sukarieh
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defenseJose Mato
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 

Ähnlich wie Sf startup-security (20)

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Web application security
Web application securityWeb application security
Web application security
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure software
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 
Web Security attacks and defense
Web Security attacks and defenseWeb Security attacks and defense
Web Security attacks and defense
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web Developers
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 

Mehr von Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIMichael Coates
 

Mehr von Michael Coates (8)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Sf startup-security

  • 2. You are a target The attackers are talented and motivated Thursday, May 30, 13
  • 3. Data Loss: Growing Problem http://datalossdb.org/statistics Thursday, May 30, 13
  • 4. Data Loss & Breaches from Hacking http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
  • 5. Data Loss: Outside Attackers http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
  • 6. Security The Basics • Understand the problem space & challenges • SSL isn’t as easy “https” • You can’t store passwords with just hashing • SQL Injection & Cross Site Scripting should be understood by all developers Thursday, May 30, 13
  • 7. Where To Start? • Focus on Risk - not vulnerability “flavor of the day” • Reference top risks and customize • OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 1. Injection 2. Broken Authentication & Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Thursday, May 30, 13
  • 9. Password Storage Options • Plain text / Home grown obfuscation • md5 • sha2 (256 / 512) • sha2 with generic salt • sha2 with per user salt • Bcrypt or PBKDF2 https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Weakest Strongest Currently Considered Acceptable Thursday, May 30, 13
  • 11. SQL Injection Worries • Issue • SQL statements don’t properly handle user supplied data • Users change intent of SQL executed by DB • Risk • Data Compromise • Corruption of Data Thursday, May 30, 13
  • 12. Into the Details • Intent Select * from users where lastname = ‘+ someVar +’; • Attacker enters: x’ or 1=1-- • Result Select * from users where lastname = ‘+ x’ or 1=1-- +’; • Solution Parameterized Queries Thursday, May 30, 13
  • 14. <div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> <div> <input type="hidden" name="data[Login][referer]" XSS Example Name:_____ submit Login: ___ Pass: ____ submit to evil site javascript javascript <install malware> (1) Attacker submits malicious code (2) Code is now part of webpage (3) Malicious site steals passwords & installs malware (4) Attacker spreads malicious URL http://site.com/%3cscript%3edocument%2e Thursday, May 30, 13
  • 15. Tackling Cross Site Scripting • In Code • Output encoding • Context is important - see OWASP XSS Cheat Sheet • Working with browsers to eliminate XSS • Content Security Policy https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet https://developer.mozilla.org/en-US/docs/Security/CSP Thursday, May 30, 13
  • 17. Insecure Session Management • Secure login over HTTPS • Password submitted encrypted • Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point Request' SessionID:'5593…' Response' SSL# Request' Response' Set'SessionID:'5593…' https://site.com/login http://site.com/profile Thursday, May 30, 13
  • 18. Insecure Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point SSL# Get$http://mybank.com$ 302$Redirect$ Location:$https://mybank.com$ Get$https://mybank.com$ 200$Found$ mybank.com Thursday, May 30, 13
  • 19. Secure Design for Communication • HTTP Strict Transport Security (HSTS) • Opt-in security control • Website instructs compatible browser to enable STS for site • HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates Thursday, May 30, 13
  • 20. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites SSL# Get$$ http://mybank.com$ Get$https://mybank.com$ 200$Found$ HSTS# Thursday, May 30, 13
  • 22. Security Culture • Set guidelines that are usable • Ensure security is a priority, not a “tax” • Security can live in all stages: • Planning, Dev, QA, Deployment, Monitoring https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Thursday, May 30, 13
  • 23. Tools to Assist • Free • OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets • Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project • Extensive OWASP guidelines - owasp.org • Professional Tools • Static / Dynamic Analysis • Security Architecture Reviews • Ongoing or point-in-time penetration tests Thursday, May 30, 13
  • 24. Take Aways • Security is a concern for your business • Tackle security fundamentals • Build a culture of security & leverage available resources Thursday, May 30, 13