Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From the Crypt to the Code

Ramona Schwering
November 24, 2024
Technology
0
28

From the Crypt to the Code

A cryptic videotape haunting its viewers, a shape-shifting entity haunting a research station, or an astronaut unknowingly carrying an alien onto a spaceship —do these scenarios sound familiar? These horror movie plots share similarities with scenarios in web security you have already encountered.

Join me on a chilling journey through web security as we explore the most common vulnerabilities through the lens of horror movies. From the sinister injection flaws reminiscent of "Alien" to the terrifying specter of broken authentication akin to "Unfriended". But don't worry, we'll also shed light on solutions in web development, turning these security nightmares into tales of triumph. If you dare, join us and learn how to conquer the darkness invited by your web applications.

Ramona Schwering

November 24, 2024
Tweet

More Decks by Ramona Schwering

See All by Ramona Schwering
Plants vs thieves: Automated Tests in the World of Web Security
leichteckig
0
130
You shall not pass!? A short story of customizable login experiences
leichteckig
0
37
Access Granted!
leichteckig
0
84
Who are vue? Authn in Vue, the important parts
leichteckig
0
68
Vue Fortified: Best Practices for Web App Security
leichteckig
0
120
It's a (testing) trap! - Common end-to-end pitfalls and how to solve them
leichteckig
0
150
Measure and improve frontend performance by using test automation
leichteckig
0
150
You belong here! On hurdles and happiness as women in IT
leichteckig
0
53
Flaky Tests - Fighting Nightmares
leichteckig
0
310

Other Decks in Technology

See All in Technology
embedパッケージを深掘りする / Deep Dive into embed Package in Go
task4233
1
230
メールヘッダーを見てみよう
hinono
0
140
【Oracle Cloud ウェビナー】2025年のセキュリティ脅威を読み解く:リスクに備えるためのレジリエンスとデータ保護
oracle4engineer
PRO
1
120
FODにおけるホーム画面編成のレコメンド
watarukudo
PRO
2
390
DMMブックスへのTipKit導入
ttyi2
1
130
Windows Server 2025 へのアップグレードではまった話
tamaiyutaro
1
180
AIアプリケーション開発でAzure AI Searchを使いこなすためには
isidaitc
1
170
サーバレスの未来〜The Key to Simplifying Everything〜
kawaji_scratch
1
270
あなたの知らないクラフトビールの世界
miura55
0
160
AWS re:Invent 2024 re:Cap Taipei (for Developer): New Launches that facilitate Developer Workflow and Continuous Innovation
dwchiang
0
180
reinvent2024を起点に振り返るサーバーレスアップデート
mihonda
1
120
HCP TerraformとAzure:イオンスマートテクノロジーのインフラ革新 / HCP Terraform and Azure AEON Smart Technology's Infrastructure Innovation
aeonpeople
2
160

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
For a Future-Friendly Web
brad_frost
176
9.5k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.2k
BBQ
matthewcrist
85
9.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
GraphQLとの向き合い方2022年版
quramy
44
13k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
3k
The Cult of Friendly URLs
andyhume
78
6.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
250
The Art of Programming - Codeland 2020
erikaheidi
53
13k

Transcript

  1. Web security explored through horror movies

  2. Slight spoiler alert / content warning

  3. Brillstein-Grey Entertainment

  4. Brillstein-Grey Entertainment

  5. Let‘s split up, gang!

  6. Are we really better then them?

  7. They‘re the same picture.

  8. None

  9. Friendly professor to the rescue!

  10. None

  11. Let‘s draft our own survival playbook

  12. None

  13. Broken Access Control

  14. Nobody will see him come, […] He can hear every

    secret.
  15. None

  16. Deny by default

  17. Deny by default Rate limit API and controller access

  18. Deny by default Rate limit API and controller access Invalidate

    stateful session identifiers

  19. Deny by default Rate limit API and controller access Invalidate

    stateful session identifiers Implement and reuse access control mechanisms
  20. None
  21. None

  22. Cryptographic Failures

  23. The box. You opened it. We came

  24. None

  25. Encrypt all sensitive data

  26. Classify data processed, stored, or transmitted Encrypt all sensitive data

  27. Classify data processed, stored, or transmitted Don't store sensitive data

    unnecessarily Encrypt all sensitive data

  28. Classify data processed, stored, or transmitted Don't store sensitive data

    unnecessarily Don‘t cache sensitive responses Encrypt all sensitive data

  29. Classify data processed, stored, or transmitted Don't store sensitive data

    unnecessarily secure, strong & up-to-date protocols Don‘t cache sensitive responses Encrypt all sensitive data
  30. None
  31. None
  32. None
  33. None
  34. None
  35. None
  36. None

  37. Use a safe API

  38. Use a safe API positive server-side input validation

  39. Use a safe API positive server-side input validation Use SQL

    features

  40. Use a safe API positive server-side input validation Use SQL

    features escape special characters

  41. Example sanitation

  42. Example sanitation Library or build your own

  43. Example sanitation

  44. None
  45. None

  46. Vurnerable and Outdated Dependencies

  47. None
  48. None

  49. Remove ununsed dependencies etc.

  50. Remove ununsed dependencies etc. Inventory of all version numbers

  51. Remove ununsed dependencies etc. Inventory of all version numbers Obtain

    from official sources & secure links

  52. Remove ununsed dependencies etc. Inventory of all version numbers Obtain

    from official sources & secure links Monitor if library get unmaintained

  53. Remove ununsed dependencies etc. Inventory of all version numbers Obtain

    from official sources & secure links Monitor if library get unmaintained
  54. None
  55. None
  56. None

  57. Stay as a team

  58. Stay as a team Take care of your batteries

  59. Stay as a team Take care of your batteries Double-check

    if the killer was defeated

  60. Stay as a team Take care of your batteries Double-check

    if the killer was defeated Take your prof‘s OWASP‘s advice seriously

  61. Thank you!

  62. Thank you!