Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Patterns 2012

Security Patterns 2012

Mike Wiesner

November 08, 2012
Tweet

More Decks by Mike Wiesner

Other Decks in Programming

Transcript

  1. • Injection • Cross-Site Scripting (XSS) • Broken Authentication and

    Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten
  2. select * from users where user = 'user' and password

    = '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection
  3. JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private

    String addressline1; @Length(max=30) private String addressline2; }
  4. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
  5. Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren

    • Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”
  6. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
  7. Fazit • Application Security ist ein Prozess • Jeder Entwickler

    muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!