Security Patterns 2012

Security Patterns mehr als nur Authentiﬁzierung und Autorisierung Mike Wiesner
[email protected]

Application Security?

Enterprise Java = Spring Spring + Security = Spring Security

Authentication Authorization

Fertig?

• Injection • Cross-Site Scripting (XSS) • Broken Authentication and
Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconﬁguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufﬁcient Transport Layer Protection • Unvalidated Redirects and Forwards OWASP Top Ten

Security ist ein Prozess

select * from users where user = 'user' and password
= '' or '1' = '1' Login BBI Webserver Client Database ' or '1' = '1 user SQL Injection

XML Processing

fromFile newOrderXml download box downloadSecured boxSecured

Alle noch wach?

Demo Time!

Input Validation

JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private
String addressline1; @Length(max=30) private String addressline2; }

Trust Zones

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconﬁguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufﬁcient Transport Layer Protection • Unvalidated Redirects and Forwards

Demo Time!

Security Misconﬁguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren
• Prozess bei Security Bugs in Frameworks • Frameworks “verstecken”

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •
Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconﬁguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufﬁcient Transport Layer Protection • Unvalidated Redirects and Forwards

Fertig?

Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

Defense in Depth

Fazit • Application Security ist ein Prozess • Jeder Entwickler
muss die Grundlagen kennen • Darf nicht die Innovation stoppen • Frameworks können dabei helfen, • aber nicht alle Probleme lösen!

Mike Wiesner [email protected] http://bit.ly/SECPATTERN12

Security Patterns 2012

Security Patterns 2012

Mike Wiesner

More Decks by Mike Wiesner

Other Decks in Programming

Featured

Transcript

Security Patterns mehr als nur Authentiﬁzierung und Autorisierung Mike Wiesner

Application Security?

Enterprise Java = Spring Spring + Security = Spring Security

Authentication Authorization

Fertig?

• Injection • Cross-Site Scripting (XSS) • Broken Authentication and

Security ist ein Prozess

select * from users where user = 'user' and password

XML Processing

fromFile newOrderXml download box downloadSecured boxSecured

Alle noch wach?

Demo Time!

Input Validation

JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private

Trust Zones

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

Demo Time!

Security Misconﬁguration • Eingesetzte Frameworks kennen • Eingesetze Frameworks dokumentieren

OWASP Top Ten • Injection • Cross-Site Scripting (XSS) •

Fertig?

Encoding Problems Internet Tomcat Browser File- System ../ %C0%AE%C0%AE%C0%AF

Defense in Depth

Fazit • Application Security ist ein Prozess • Jeder Entwickler

Mike Wiesner [email protected] http://bit.ly/SECPATTERN12