Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Patterns 2012

Avatar for Mike Wiesner Mike Wiesner
November 08, 2012
Programming
53
0

Security Patterns 2012

Avatar for Mike Wiesner

Mike Wiesner

November 08, 2012

More Decks by Mike Wiesner

See All by Mike Wiesner
Transaktionen in Java
Avatar for Mike Wiesner mikewiesner
0
93
Introduction to Spring Security 3/3.1
Avatar for Mike Wiesner mikewiesner
0
130

Other Decks in Programming

See All in Programming
AIとASP.NET Coreで雑Webアプリを作った話
Avatar for Mayuki Sawatari mayuki
0
620
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
Avatar for Naoki Kishida kishida
2
130
dRuby over BLE
Avatar for makicamel makicamel
2
340
Datadog × OpenTelemetry 入門と実践のあいだ
Avatar for Max Kento kn_to_maxpno
1
160
タクシーアプリ『GO』の バックエンド開発のおける AI利活用と若者のすべて
Avatar for Kazuhiko Yamashita pyama86
3
2k
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
Avatar for nrs nrslib
0
280
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
Avatar for Yuku Kotani yukukotani
3
4k
さぁV100、メモリをお食べ・・・
Avatar for nilpe nilpe
0
140
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
190
Lessons from Spec-Driven Development
Avatar for Simon Martinelli simas
PRO
0
200
Claspは野良GASの夢をみるか
Avatar for てらうちたかし takter00
0
190
作って学ぶ、 JSX (TSX) ランタイムの基本
Avatar for syumai syumai
7
1.6k

Featured

See All Featured
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
1
350
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
275
41k
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
1
410
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon Słowik szymonslowik
1
1.1k
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
Avatar for Marco Roth marcoroth
1
190
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
3.1k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
Avatar for Aleyda Solis aleyda
1
1.3k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
55k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
320
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
850

Transcript

  1. Security Patterns mehr als nur Authentifizierung und Autorisierung Mike Wiesner

    [email protected]
  2. None

  3. Application Security?

  4. Enterprise Java = Spring Spring + Security = Spring Security

  5. Authentication Authorization

  6. Fertig?

  7. • Injection • Cross-Site Scripting (XSS) • Broken Authentication and

    Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten

  8. Security ist ein Prozess

  9. select * from users where user = 'user' and password

    = '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection

  10. XML Processing

  11. fromFile newOrderXml download box downloadSecured boxSecured

  12. Alle noch wach?

  13. Demo Time!

  14. Input Validation

  15. JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private

    String addressline1; @Length(max=30) private String addressline2; }

  16. Trust Zones

  17. None

  18. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  19. Demo Time!

  20. Security Misconfiguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren

    • Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”

  21. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

    Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  22. Fertig?

  23. Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

  24. Defense in Depth

  25. Fazit • Application Security ist ein Prozess • Jeder Entwickler

    muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!

  26. Mike Wiesner [email protected] http://bit.ly/SECPATTERN12