Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Patterns 2012

Mike Wiesner
November 08, 2012
Programming
0
36

Security Patterns 2012

Mike Wiesner

November 08, 2012
Tweet

More Decks by Mike Wiesner

See All by Mike Wiesner
Transaktionen in Java
mikewiesner
0
71
Introduction to Spring Security 3/3.1
mikewiesner
0
110

Other Decks in Programming

See All in Programming
offers_20241022_imakiire.pdf
imakurusu
2
360
レガシーな Android アプリのリアーキテクチャ戦略
oidy
1
170
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
380
開発効率向上のためのリファクタリングの一歩目の選択肢 ~コード分割~ / JJUG CCC 2024 Fall
ryounasso
0
360
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
Macとオーディオ再生 2024/11/02
yusukeito
0
140
2万ページのSSG運用における工夫と注意点 / Vue Fes Japan 2024
chinen
3
1.3k
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
現場で役立つモデリング 超入門
masuda220
PRO
12
2.9k
色々なIaCツールを実際に触って比較してみる
iriikeita
0
250
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.5k

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
1
39
Building Applications with DynamoDB
mza
90
6.1k
Designing the Hi-DPI Web
ddemaree
280
34k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
Statistics for Hackers
jakevdp
796
220k
Agile that works and the tools we love
rasmusluckow
327
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
For a Future-Friendly Web
brad_frost
175
9.4k
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
The Invisible Side of Design
smashingmag
297
50k

Transcript

  1. Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner

    [email protected]
  2. None

  3. Application Security?

  4. Enterprise Java = Spring Spring + Security = Spring Security

  5. Authentication Authorization

  6. Fertig?

  7. • Injection • Cross-Site Scripting (XSS) • Broken Authentication and

    Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten

  8. Security ist ein Prozess

  9. select * from users where user = 'user' and password

    = '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection

  10. XML Processing

  11. fromFile newOrderXml download box downloadSecured boxSecured

  12. Alle noch wach?

  13. Demo Time!

  14. Input Validation

  15. JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private

    String addressline1; @Length(max=30) private String addressline2; }

  16. Trust Zones

  17. None

  18. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  19. Demo Time!

  20. Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren

    • Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”

  21. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  22. Fertig?

  23. Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

  24. Defense in Depth

  25. Fazit • Application Security ist ein Prozess • Jeder Entwickler

    muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!

  26. Mike Wiesner [email protected] http://bit.ly/SECPATTERN12