Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security Patterns 2012
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Mike Wiesner
November 08, 2012
Programming
56
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security Patterns 2012
Mike Wiesner
November 08, 2012
More Decks by Mike Wiesner
See All by Mike Wiesner
Transaktionen in Java
mikewiesner
0
96
Introduction to Spring Security 3/3.1
mikewiesner
0
130
Other Decks in Programming
See All in Programming
「なぜそう決めたのか」を残し続ける仕組み ― Notion AI カスタムエージェント × Slack連携による設計判断の自動記録 - NIKKEI Tech Talk #47
niftycorp
PRO
0
250
AIエージェントで 変わるAndroid開発環境
takahirom
1
450
The Bowling Game- From Imperative to Functional Programming - Part 1
philipschwarz
PRO
0
280
AI 輔助遺留系統現代化的經驗分享
jame2408
1
1.2k
コーディングルールの鮮度を保ちたい for SRE NEXT 2026 / keep-fresh-go-internal-conventions-sre-next-2026
handlename
0
120
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.8k
Claude Opus 4.6以後の受託開発エンジニアの変化(Claude Code開発ノウハウ大公開スペシャルbyクラスメソッド)
iidatakuma
1
340
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.7k
関数型プログラミングのメリットって何だろう?
wanko_it
0
140
Go1.27で導入されるジェネリクスメソッドでできること
mackee
0
250
エンジニアにデザインハーネスを 〜デザインプロセスを規定するためのハーネス〜 / Design harness from an engineer's perspective
rkaga
2
1k
これからAgentCoreを触る方へトレンドはGatewayです
har1101
6
480
Featured
See All Featured
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
RailsConf 2023
tenderlove
30
1.5k
Statistics for Hackers
jakevdp
799
230k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
880
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
szymonslowik
1
1.2k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
260
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.4k
The Art of Programming - Codeland 2020
erikaheidi
57
14k
Transcript
Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner
[email protected]
None
Application Security?
Enterprise Java = Spring Spring + Security = Spring Security
Authentication Authorization
Fertig?
• Injection • Cross-Site Scripting (XSS) • Broken Authentication and
Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten
Security ist ein Prozess
select * from users where user = 'user' and password
= '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection
XML Processing
fromFile newOrderXml download box downloadSecured boxSecured
Alle noch wach?
Demo Time!
Input Validation
JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private
String addressline1; @Length(max=30) private String addressline2; }
Trust Zones
None
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Demo Time!
Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren
• Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”
OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Fertig?
Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF
Defense in Depth
Fazit • Application Security ist ein Prozess • Jeder Entwickler
muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!
Mike Wiesner
[email protected]
http://bit.ly/SECPATTERN12