SlideShare uma empresa Scribd logo

Top 10 Java EE security risks and how to avoid them

Masoud Kalali
Masoud Kalali

If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013. Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.

Tecnologia
1 de 59
Baixar para ler offline
Title: How to avoid top 10 security risks in Java EE applications Masoud Kalali @MasoudKalali ORACLE JDays 2013
Agenda • Introduc)on   • The  Top  10  Most  Cri)cal  Web  Applica)on   Security  Risks   • QA

Java EE 6 & GlassFish glassfish.org
Motivation for this talk • • • • Seen  a  lot   Providing  a  star)ng  point   Sharing  something   Making  you  aware
The Top 10 Most Critical Web Application Security Risks A1:  Injec*on A2:  Broken   Authen*ca*on  and   Session   Management A2:  Cross-­‐Site   Scrip*ng  (XSS) A4:  Insecure  Direct   Object  References   A5:  Security   Misconfigura*on A6:  Sensi*ve  Data   Exposure A7:    Missing   Func*on  Level   Access  Control   A8:  Cross-­‐Site   Request  Forgery   (CSRF) A9:  Using   Components  with   Known   Vulnerabili*es A10:  Unvalidated   Redirects  and   Forwards Aka  OWASP  Top-­‐10*   AFribu)on-­‐ShareAlike  3.0  Unported  (CC  BY-­‐SA  3.0) Source:  hFp://owasptop10.googlecode.com
What is OWASP? • Open  Web  Applica)on  Security  Project   • Improving  the  security  of  (web)  applica)on  soTware   – Not-­‐for-­‐profit  organiza)on  since  2001   – Raise  interest  in  secure  development   • Documents   – Top  10   – Cheat  Sheets   – Development  Guides   • Solu)ons   – Enterprise  Security  API  (ESAPI)   – WebScarab   – WebGoat
A1  -­‐  Injec*on
A1:   A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:   • Sending  unintended  data  to  applica)ons   • Manipula*ng  and  reading  Data  stores  (e.g.  DB,   LDAP,  File  System,  etc.)   • Java  EE  6  affected:   – UI  technology  of  choice   – Database  access  (JPA,  JDBC)   – File  System  API   – etc.
A1:   A3:   A4:   A8:   How to spot it! A2:   A7:   A6:   A5:   A9:   A10:   String customerId= request.getParameter("customerId")! String query = "SELECT balance FROM customer_data WHERE customer_id = "! + customerId;! ! try {! ! Statement statement = connection.createStatement( … );! ! ResultSet results = statement.executeQuery( query );! }! String customerId = "x';  DROP  TABLE  members;  -­‐-­‐"; // user-input!
A1:   • • • • • A3:   A4:   A8:   Prevent Injection A2:   A7:   A6:   A5:   A9:   A10:   Sani*ze  the  input   Escape/Quotesafe  the  input,  e.g.  use  ESAPI     Use  bound  parameters  (the  PREPARED  statement)   Limit  database  permissions  and  segregate  users   Configure  error  repor*ng,  e.g  use  OWASP  LAPSE+   Sta*c  Code  Analysis  Tool
A1:   A3:   A4:   A8:   Prevent Injection, Sample A2:   A7:   A6:   A5:   A9:   A10:   String customerId = request.getParameter("customerId"); ! //white list validation and encoding! String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(), customerId );! ! String query = "SELECT balance FROM customer_data WHERE customer_id = "! + escapedCustomerId;! ... ! ! //OR! ! String query = "SELECT balance FROM customer_data WHERE customer_id = ? ";! //using pstmt or stmt with encoded/validate input parameters! PreparedStatement pstmt = connection.prepareStatement( query );! pstmt.setString( 1, customerId); ! ResultSet results = pstmt.executeQuery( );!
A2  -­‐  Broken  Authen*ca*on  and    Session  Management
A1:   • Container  Security  vs.  own  soluCon   • Session  Binding  /  Session  Renewal   • Passwords     – Strength  (length/complexity)   – Plain  text  passwords  (hGp/hGps)   – Recovery  mechanisms   • Number  of  factors  used  for  authenCcaCon   ! • Java  EE  6  affected:   – JAAS  /  JASPIC   – Filter  /  PhaseListener   A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
A1:   • • • • • • • AuthenCcaCon  over  hGp   Custom  security  filter     Not  using  Container  FuncConality   No  password  strength  requirements   No    HGpSession  binding   Way  of  saving  Passwords     Not  tesCng  security A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:  
A1:   A3:   A4:   A8:   Best Practices A2:   A7:   A6:   A5:   A9:   A10:   • Use  Container  Managed  Security!   • Go  with  provided  Standard  Realms  and  LoginModules   whenever  possible   • Invalidate  session  and  all  relevant  bits  when  logged  out   • If  you  need  custom  ones:  Test  them  extremely  carefully!   • Use  transport  layer  encrypCon  (TLS/SSL)  for   authenCcaCon,  credenCals  transport   • Review  and  adopt  OWASP’s  ASVS(ApplicaCon  Security  
 VerificaCon  Standard)
A3  -­‐  Cross-­‐Site  Scrip*ng  (XSS)
A1:   • Inject  malicious  code  into  user  interfaces   • Get  access  to  browser  informa*on   – E.g.  javascript:alert(document.cookie)   • • • • Steal  user’s  session,  steal  sensiCve  data   Rewrite  web  page  or  parts   Redirect  user  to  phishing  or  malware  site   Java  EE  6  affected:   – UI  technology  of  choice  (e.g.  JSF,  JSP) A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
A1:   A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:   ! • Anywhere  that  untrusted  data  is  used  as  one  of   the  following  in  outgoing  response:   – HTML  element’s  aGributes   – JavaScript  variables   – CSS  values   – Etc. (String)  page  +=  "<input  name='creditcard'  type='TEXT‘  value='"  +   request.getParameter("CC")  +  "'>";    
A1:   A3:   A4:   A8:   Prevent A2:   A7:   A6:   A5:   A9:   A10:   • SaniCze  the  input.  E.g.  use  OWASP  AnCSamy  or   OWASP  Java  HTML  SaniCzer,  etc.   • Escape  untrusted  data  based  on  the  HTML   context  (body,  aGribute,  JavaScript,  CSS,  or   URL)   • Use  Cookie  flags:   – hGpOnly    (prevents  XSS  access)
A4  –  Insecure  Direct  Object  References
A1:   • Exposing  secure  objects  without  defense.   • Accessing  domain  objects  with  their  PK.  E.g.
 hGps://you.com/user/1  =>  hGps://you.com/user/21   • Opening  opportuniCes  for  intruders   • InformaCon  hiding  on  the  client   • Parameter  value  tampering   ! • Java  EE  6  affected:   – All  layers   – Especially  data  access A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
A1:   • • • • • A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:   Direct  user  input  to  object  mapping   No  verificaCon  on  user  input  (defenseless)   Data  separaCon  for  users  (tenants)   Request  mode  access  for  data  (RUD)   Query  constraints
A1:   A3:   A4:   A8:   Best Practices A2:   A7:   A6:   A5:   A9:   A10:   • Use  AccessReferenceMaps   ! hnp://app?file=Report123.xls hnp://app?file=1 ! hnp://app?id=9182374   ! hnp://app?id=7d3J93 • Use  data-­‐driven  security   • Validate  object  references   • Always  Perform  addiConal  data  authorizaCon   on  the  view
A5  -­‐  Security  Misconfigura*on
A1:   • Applies  to     – – – – – – – OperaCng  System   ApplicaCon  Server   Databases   AddiConal  Services   Frameworks   Developed  Code   Etc.   • Includes  (beside  _many_  others)   – All  security  relevant  configuraCon   – Missing  Patches   – Default  accounts A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:  
A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Network  interfaces/sockets  access  control   • Relaxed  File  system  access  control   • Using  any  defaults  like:   – Passwords:  Admin,  master  password   – Network  interface  binding:  Listening  on  0.0.0.0   – CerCficates:  Self  signed  cerCficate   • Using  a  not  hardened  OS!   • Not  using  segregated  user  for  the  service   • Not  restricCng  GlassFish/Server  component  specific   user  nor  enabling  security  manager
A1:   A3:   A4:   A5:   Policy Files location A2:   A6:   A7:   A8:   A9:   A10:   • Global  Policy  File:  java.home/jre/lib/security/ java.policy   • User  Policy  File:  user.home/.java.policy   • Domain  Policy  File:  domain.home/config/ server.policy         • ApplicaCon  Policy  File:  domain.home/ generated/policy/<app.name>/ <module.name>/granted.policy  
A1:   A3:   A4:   A5:   Review the *.policy files A2:   A6:   A7:   A8:   A9:   A10:   • Policy  files  precedence  order   • Remove  unused  grants   • Add  extra  permissions  only  to  applica*ons  or   modules  that  require  them,  not  to  all   applicaCons  deployed  to  a  domain.   • Document  your  changes!
A1:   Running GlassFish in a 
 • • • • A2:   A3:   A4:   A5:   A6:   A7:   A8:   A9:   A10:   Use  the  latest  version  (3.1.2.2)   Enable  secure  admin  (TLS/hGps)   Use  password  aliasing   Enable  security  manager  and  put  forth  a   proper  security  policy  file  design hGp://blog.eisele.net/2011/05/securing-­‐your-­‐glassfish-­‐hardening-­‐guide.html   hGp://docs.oracle.com/cd/E18930_01/html/821-­‐2435/gkscr.html
A6  -­‐  Sensi*ve  Data  Exposure
A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • SensiCve  data  kept  unprotected   • SensiCve  data  exposed  to  wrong  persons   • Could  be:   – Passwords   – Financial/Health  care  data   – Credit  cards
A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Storing  sensiCve  data  unencrypted   • Storing  comparaCve  data  unhashed   (passwords/security  quesCon  answer…)   • Keeping  clear  text  copies  of  encrypted  data   • Not  keeping  the  keys/passwords  well  guarded   • caching/autocomplete  on  pages  with  sensiCve   data
A1:   A3:   A4:   A5:   Worst Practice A2:   A6:   A7:   A8:   A9:   A10:   Using  basic/form  authenCcaCon  without  SSL   Not  using  HTTPS  for  pages  with  private  informaCon   Using  default  self  signed  cerCficate   Storing  unencrypted  cookies   Not  semng  cookies  to  be  securely  transmiGed   Cookie.setSecure(true)   • Forgemng  about  the  rest  of  the  
 infrastructure • • • • •
A1:   A3:   A4:   A5:   Prevention A2:   A6:   A7:   A8:   A9:   A10:   • IdenCfy  sensiCve  data   • Wisely  encrypt  sensiCve  data   – On  every  level  (applicaCon,  appserver,  db)   – with  the  right  algorithm,  as  strong  as  possible  but  not  more!   – with  the  right  mechanism,  e.g  scrypt  and  bcrypt   • Don’t  keep  clear  text  copies   • To  decrypt  and  view  clear  text  should  be  restricted  to   authorized  personnel   • Keep  the  keys  as  protected  as  possible   • Keep  offsite  encrypted  backups  in  addiCon  to  on-­‐site   copies
A1:   • • • • • A3:   A4:   A5:   Best Practice A2:   A6:   A7:   A8:   A9:   A10:   Use  TLS  on  all  connec*ons  with  sensiCve  data   Individually  encrypt  messages     Sign  messages  before  transmission   Use  standard  strong  algorithms     Use  proven  mechanisms  when  sufficient
A1:   A3:   A4:   A5:   Java EE A2:   A6:   A7:   A8:   A9:   A10:   • Group  the  resources  in  regard  to  transport   sensiCvity  using  web-­‐resource-­‐collec+on   • Use  user-­‐data-­‐constraint  as  widely  as  you  need  for   data  integrity  and  encrypCon  needs   • Ensure  that  login/logout  pages  (in  case  of  form   auth-­‐type)  are  protected  by  <transport-­‐ guarantee>CONFIDENTIAL</transport-­‐guarantee>   • Secure  cookies  transmission
A1:   A3:   A4:   A5:   GlassFish A2:   A6:   A7:   A8:   A9:   A10:   • Protect  the  keystore   • Protect  GlassFish  accounts   – Use  aliasing  to  protect  the  password  and  keep  the   master  password  safe  to  protect  the  aliases   • Use  digest  authenCcaCon/hashed  password   storage
A1:   A3:   A4:   A5:   GlassFish A2:   A6:   A7:   A8:   A9:   A10:   • Install  the  right  server  cerCficates  to  be  used   by  SSL  listeners   • Properly  configure  HTTPS  listener/s  (set  the   right  keystore)   • Properly  configure  the  ORB  over  SSL  listeners  if   needed  (set  the  right  keystore)   • Enable  audiCng  under  Security  and  access  log   under  HTTP  Service
A7  -­‐  Missing  func7onal  access  control
A1:   • PresentaCon  layer  access  control  is  not   enough!   • Not  using  “Deny  All”  by  default   • Related  to  A4  –  Insecure  Direct  Object   References A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:  
A1:   A3:   A4:   A5:   Worst Practice A2:   A6:   A7:   A8:   A9:   A10:   • Using  home-­‐grown  security  features  instead  of   container  provided  ones   • Assuming  people  wont  know  some  URLs  to  try   them   • Assuming  no  one  would  misuse  the  extra   permission  and  access  they  have
A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   • What  you  do  to  prevent,  A4  plus:   – Use  Container  security  (security-­‐constraint)   – Use  programmaCc  login  of  Java  EE  6  if  needed.   – Properly  configure  security  realms   – Accurately  map  roles  to  principal/groups  (auth-­‐ constraint  /  security-­‐role-­‐mapping)   – Only  allow  supported/required  HTTP  methods   – Accurately  Categorize  the  URL  paGerns  and  permit   the  relevant  roles  for  each
A1:   A3:   A4:   A5:   Best Practices A2:   A6:   A7:   A8:   A9:   A10:   • Any  non-­‐public  URL  should  be  protected   • Use  container  authenCcaCon/authorizaCon   features  or  extend  on  top  of  them   • If  not  enough  use  proven  frameworks/   products  to  protect  the  resources   • If  user  can  get  /getpic?id=1x118uf  it  does  not   mean  you  should  show  /getpic?id=1x22ug
A8  -­‐  Cross  Site  Request  Forgery  (CSRF)
A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • Basically  a  capture-­‐replay  aGack   • Malicious  code  executes  funcCons  on  your   behalf  while  being  authenCcated   • Deep  links  make  this  easier   ! • JavaEE  6  affected:   – UI  technology  of  choice  
A1:   A3:   A4:   A5:   How to spot it A2:   A6:   A7:   A8:   A9:   A10:   • Predictable  URLs  (for  logged-­‐in)  users   • No  random  secret  tokens  processing  (CSRF   Token)   • No  double  check  on  different  stages  of  a  mulC-­‐ step  operaCon
A1:   A3:   A4:   A5:   A6:   A7:   A8:   A9:   Best Practices A2:   A10:   • Add  Unpredictability  (tokens)   – Hidden  Field,  Single-­‐Use  URLs   – Request  or  Session  Scope   • CSRFPrevenConForm  (JSF  1.2  &  2)
 hGp://blog.eisele.net/2011/02/prevenCng-­‐csrf-­‐with-­‐jsf-­‐20.html   • Use  OWASP  ESAPI
 hGp://www.jtmelton.com/2010/05/16/the-­‐owasp-­‐top-­‐ten-­‐and-­‐esapi-­‐part-­‐6-­‐cross-­‐ site-­‐request-­‐forgery-­‐csrf/
A9  -­‐  Using  Components  with  Known  Vulnerabili7es
A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   – Using  commercial  off  the  shelve  components  and   frameworks   – Hard  to  track  list  of  vulnerabiliCes   – Hard  to  track  fix  versions   –  Late  or  someCmes  no  news  about  the  flaws  
A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   – Using  non  well  stablished  frameworks  and   components,  specially  in  security  services.   – Do  not  following  the  release  train  and  list  of  changes,   or  announcements  mailing  lists,  etc.   – Ignoring  security  fixes  because  of  update  expense   – Staying  with  dead  project  because  of  replacing   refactoring  costs
A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   – Stay  with  ApplicaCon  server  cerCfied  components,  e.g   OS,  frameworks,  libraries,  external  services,  etc  as   long  as  possible   – If  staying  with  same  major  or  dot  release,  ensure   applying  all  patches,  specially  security  fixes.   – Only  use  well  known  and  established  frameworks  with   proven  records  
A10  -­‐  Unvalidate  Redirects  and  Forwards
A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • Redirec7ng  to  another  URL  computed  by  user   provided  parameters   • Forward  to  another  URL  computed  by  user   provided  parameters http://www.java.net/external?url=http://www.adam-bien.com/ roller/abien/entry/ conveniently_transactionally_and_legally_starting
A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Not  to  validate/verify  the  target  with  user’s   access  level  before  doing  the  forward   • Not  using  a  proper  access  control  mechanism   (e.g  container  managed  and  proper  security-­‐ constraint  )   • RedirecCng  to  a  user  provided  parameter,  e.g   to  an  external  website
A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   • Don’t  use  redirect  or  forward  as  much  as  possible   • Accurately  verify/validate  the  target  URL  before   forwarding  or  redirecCng   • Redirects  are  safe  when  using  container  managed   authenCcaCon/authorizaCon  properly   • Forwards  happen  without  authenCcaCon  and  thus   requires  triple  check  to  prevent  unauthorized   access.
Galleria Project hGps://bitbucket.org/VineetReynolds/java-­‐ee-­‐6-­‐galleria/
Security isn‘t all candy.. …  but  you  will  love  it  in  the  end!
CC picture reference • • • • • • • • • • •   hGp://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ hGp://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ hGp://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ hGp://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ hGp://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ hGp://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ hGp://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ hGp://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ hGp://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ hGp://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/   hGp://www.flickr.com/photos/zen/4494845/sizes/o/in/photostream/               !    
Questions… ! ? 59

Recomendados

Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 

Recomendados

Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE - ATT&CKcon
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 

Mais conteúdo relacionado

Mais procurados

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE - ATT&CKcon
 

Mais procurados (20)

Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
 

Semelhante a Top 10 Java EE security risks and how to avoid them

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcKaty Anton
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachNordic APIs
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation 42Crunch
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Olivier Dony
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 

Semelhante a Top 10 Java EE security risks and how to avoid them (20)

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 

Mais de Masoud Kalali

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsMasoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyMasoud Kalali
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsMasoud Kalali
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodologyMasoud Kalali
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.Masoud Kalali
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the futureMasoud Kalali
 

Mais de Masoud Kalali (13)

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutions
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectively
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and Solutions
 
Java EE 7 overview
Java EE 7 overviewJava EE 7 overview
Java EE 7 overview
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodology
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the future
 

Último

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Top 10 Java EE security risks and how to avoid them

  • 1. Title: How to avoid top 10 security risks in Java EE applications Masoud Kalali @MasoudKalali ORACLE JDays 2013
  • 2. Agenda • Introduc)on   • The  Top  10  Most  Cri)cal  Web  Applica)on   Security  Risks   • QA

  • 3. Java EE 6 & GlassFish glassfish.org
  • 4. Motivation for this talk • • • • Seen  a  lot   Providing  a  star)ng  point   Sharing  something   Making  you  aware
  • 5. The Top 10 Most Critical Web Application Security Risks A1:  Injec*on A2:  Broken   Authen*ca*on  and   Session   Management A2:  Cross-­‐Site   Scrip*ng  (XSS) A4:  Insecure  Direct   Object  References   A5:  Security   Misconfigura*on A6:  Sensi*ve  Data   Exposure A7:    Missing   Func*on  Level   Access  Control   A8:  Cross-­‐Site   Request  Forgery   (CSRF) A9:  Using   Components  with   Known   Vulnerabili*es A10:  Unvalidated   Redirects  and   Forwards Aka  OWASP  Top-­‐10*   AFribu)on-­‐ShareAlike  3.0  Unported  (CC  BY-­‐SA  3.0) Source:  hFp://owasptop10.googlecode.com
  • 6. What is OWASP? • Open  Web  Applica)on  Security  Project   • Improving  the  security  of  (web)  applica)on  soTware   – Not-­‐for-­‐profit  organiza)on  since  2001   – Raise  interest  in  secure  development   • Documents   – Top  10   – Cheat  Sheets   – Development  Guides   • Solu)ons   – Enterprise  Security  API  (ESAPI)   – WebScarab   – WebGoat
  • 8. A1:   A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:   • Sending  unintended  data  to  applica)ons   • Manipula*ng  and  reading  Data  stores  (e.g.  DB,   LDAP,  File  System,  etc.)   • Java  EE  6  affected:   – UI  technology  of  choice   – Database  access  (JPA,  JDBC)   – File  System  API   – etc.
  • 9. A1:   A3:   A4:   A8:   How to spot it! A2:   A7:   A6:   A5:   A9:   A10:   String customerId= request.getParameter("customerId")! String query = "SELECT balance FROM customer_data WHERE customer_id = "! + customerId;! ! try {! ! Statement statement = connection.createStatement( … );! ! ResultSet results = statement.executeQuery( query );! }! String customerId = "x';  DROP  TABLE  members;  -­‐-­‐"; // user-input!
  • 10. A1:   • • • • • A3:   A4:   A8:   Prevent Injection A2:   A7:   A6:   A5:   A9:   A10:   Sani*ze  the  input   Escape/Quotesafe  the  input,  e.g.  use  ESAPI     Use  bound  parameters  (the  PREPARED  statement)   Limit  database  permissions  and  segregate  users   Configure  error  repor*ng,  e.g  use  OWASP  LAPSE+   Sta*c  Code  Analysis  Tool
  • 11. A1:   A3:   A4:   A8:   Prevent Injection, Sample A2:   A7:   A6:   A5:   A9:   A10:   String customerId = request.getParameter("customerId"); ! //white list validation and encoding! String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(), customerId );! ! String query = "SELECT balance FROM customer_data WHERE customer_id = "! + escapedCustomerId;! ... ! ! //OR! ! String query = "SELECT balance FROM customer_data WHERE customer_id = ? ";! //using pstmt or stmt with encoded/validate input parameters! PreparedStatement pstmt = connection.prepareStatement( query );! pstmt.setString( 1, customerId); ! ResultSet results = pstmt.executeQuery( );!
  • 12. A2  -­‐  Broken  Authen*ca*on  and    Session  Management
  • 13. A1:   • Container  Security  vs.  own  soluCon   • Session  Binding  /  Session  Renewal   • Passwords     – Strength  (length/complexity)   – Plain  text  passwords  (hGp/hGps)   – Recovery  mechanisms   • Number  of  factors  used  for  authenCcaCon   ! • Java  EE  6  affected:   – JAAS  /  JASPIC   – Filter  /  PhaseListener   A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
  • 14. A1:   • • • • • • • AuthenCcaCon  over  hGp   Custom  security  filter     Not  using  Container  FuncConality   No  password  strength  requirements   No    HGpSession  binding   Way  of  saving  Passwords     Not  tesCng  security A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:  
  • 15. A1:   A3:   A4:   A8:   Best Practices A2:   A7:   A6:   A5:   A9:   A10:   • Use  Container  Managed  Security!   • Go  with  provided  Standard  Realms  and  LoginModules   whenever  possible   • Invalidate  session  and  all  relevant  bits  when  logged  out   • If  you  need  custom  ones:  Test  them  extremely  carefully!   • Use  transport  layer  encrypCon  (TLS/SSL)  for   authenCcaCon,  credenCals  transport   • Review  and  adopt  OWASP’s  ASVS(ApplicaCon  Security  
 VerificaCon  Standard)
  • 16. A3  -­‐  Cross-­‐Site  Scrip*ng  (XSS)
  • 17. A1:   • Inject  malicious  code  into  user  interfaces   • Get  access  to  browser  informa*on   – E.g.  javascript:alert(document.cookie)   • • • • Steal  user’s  session,  steal  sensiCve  data   Rewrite  web  page  or  parts   Redirect  user  to  phishing  or  malware  site   Java  EE  6  affected:   – UI  technology  of  choice  (e.g.  JSF,  JSP) A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
  • 18. A1:   A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:   ! • Anywhere  that  untrusted  data  is  used  as  one  of   the  following  in  outgoing  response:   – HTML  element’s  aGributes   – JavaScript  variables   – CSS  values   – Etc. (String)  page  +=  "<input  name='creditcard'  type='TEXT‘  value='"  +   request.getParameter("CC")  +  "'>";    
  • 19. A1:   A3:   A4:   A8:   Prevent A2:   A7:   A6:   A5:   A9:   A10:   • SaniCze  the  input.  E.g.  use  OWASP  AnCSamy  or   OWASP  Java  HTML  SaniCzer,  etc.   • Escape  untrusted  data  based  on  the  HTML   context  (body,  aGribute,  JavaScript,  CSS,  or   URL)   • Use  Cookie  flags:   – hGpOnly    (prevents  XSS  access)
  • 20. A4  –  Insecure  Direct  Object  References
  • 21. A1:   • Exposing  secure  objects  without  defense.   • Accessing  domain  objects  with  their  PK.  E.g.
 hGps://you.com/user/1  =>  hGps://you.com/user/21   • Opening  opportuniCes  for  intruders   • InformaCon  hiding  on  the  client   • Parameter  value  tampering   ! • Java  EE  6  affected:   – All  layers   – Especially  data  access A3:   A4:   A8:   What is it? A2:   A7:   A6:   A5:   A9:   A10:  
  • 22. A1:   • • • • • A3:   A4:   A8:   How to spot it A2:   A7:   A6:   A5:   A9:   A10:   Direct  user  input  to  object  mapping   No  verificaCon  on  user  input  (defenseless)   Data  separaCon  for  users  (tenants)   Request  mode  access  for  data  (RUD)   Query  constraints
  • 23. A1:   A3:   A4:   A8:   Best Practices A2:   A7:   A6:   A5:   A9:   A10:   • Use  AccessReferenceMaps   ! hnp://app?file=Report123.xls hnp://app?file=1 ! hnp://app?id=9182374   ! hnp://app?id=7d3J93 • Use  data-­‐driven  security   • Validate  object  references   • Always  Perform  addiConal  data  authorizaCon   on  the  view
  • 24. A5  -­‐  Security  Misconfigura*on
  • 25. A1:   • Applies  to     – – – – – – – OperaCng  System   ApplicaCon  Server   Databases   AddiConal  Services   Frameworks   Developed  Code   Etc.   • Includes  (beside  _many_  others)   – All  security  relevant  configuraCon   – Missing  Patches   – Default  accounts A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:  
  • 26. A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Network  interfaces/sockets  access  control   • Relaxed  File  system  access  control   • Using  any  defaults  like:   – Passwords:  Admin,  master  password   – Network  interface  binding:  Listening  on  0.0.0.0   – CerCficates:  Self  signed  cerCficate   • Using  a  not  hardened  OS!   • Not  using  segregated  user  for  the  service   • Not  restricCng  GlassFish/Server  component  specific   user  nor  enabling  security  manager
  • 27. A1:   A3:   A4:   A5:   Policy Files location A2:   A6:   A7:   A8:   A9:   A10:   • Global  Policy  File:  java.home/jre/lib/security/ java.policy   • User  Policy  File:  user.home/.java.policy   • Domain  Policy  File:  domain.home/config/ server.policy         • ApplicaCon  Policy  File:  domain.home/ generated/policy/<app.name>/ <module.name>/granted.policy  
  • 28. A1:   A3:   A4:   A5:   Review the *.policy files A2:   A6:   A7:   A8:   A9:   A10:   • Policy  files  precedence  order   • Remove  unused  grants   • Add  extra  permissions  only  to  applica*ons  or   modules  that  require  them,  not  to  all   applicaCons  deployed  to  a  domain.   • Document  your  changes!
  • 29. A1:   Running GlassFish in a 
 • • • • A2:   A3:   A4:   A5:   A6:   A7:   A8:   A9:   A10:   Use  the  latest  version  (3.1.2.2)   Enable  secure  admin  (TLS/hGps)   Use  password  aliasing   Enable  security  manager  and  put  forth  a   proper  security  policy  file  design hGp://blog.eisele.net/2011/05/securing-­‐your-­‐glassfish-­‐hardening-­‐guide.html   hGp://docs.oracle.com/cd/E18930_01/html/821-­‐2435/gkscr.html
  • 30. A6  -­‐  Sensi*ve  Data  Exposure
  • 31. A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • SensiCve  data  kept  unprotected   • SensiCve  data  exposed  to  wrong  persons   • Could  be:   – Passwords   – Financial/Health  care  data   – Credit  cards
  • 32. A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Storing  sensiCve  data  unencrypted   • Storing  comparaCve  data  unhashed   (passwords/security  quesCon  answer…)   • Keeping  clear  text  copies  of  encrypted  data   • Not  keeping  the  keys/passwords  well  guarded   • caching/autocomplete  on  pages  with  sensiCve   data
  • 33. A1:   A3:   A4:   A5:   Worst Practice A2:   A6:   A7:   A8:   A9:   A10:   Using  basic/form  authenCcaCon  without  SSL   Not  using  HTTPS  for  pages  with  private  informaCon   Using  default  self  signed  cerCficate   Storing  unencrypted  cookies   Not  semng  cookies  to  be  securely  transmiGed   Cookie.setSecure(true)   • Forgemng  about  the  rest  of  the  
 infrastructure • • • • •
  • 34. A1:   A3:   A4:   A5:   Prevention A2:   A6:   A7:   A8:   A9:   A10:   • IdenCfy  sensiCve  data   • Wisely  encrypt  sensiCve  data   – On  every  level  (applicaCon,  appserver,  db)   – with  the  right  algorithm,  as  strong  as  possible  but  not  more!   – with  the  right  mechanism,  e.g  scrypt  and  bcrypt   • Don’t  keep  clear  text  copies   • To  decrypt  and  view  clear  text  should  be  restricted  to   authorized  personnel   • Keep  the  keys  as  protected  as  possible   • Keep  offsite  encrypted  backups  in  addiCon  to  on-­‐site   copies
  • 35. A1:   • • • • • A3:   A4:   A5:   Best Practice A2:   A6:   A7:   A8:   A9:   A10:   Use  TLS  on  all  connec*ons  with  sensiCve  data   Individually  encrypt  messages     Sign  messages  before  transmission   Use  standard  strong  algorithms     Use  proven  mechanisms  when  sufficient
  • 36. A1:   A3:   A4:   A5:   Java EE A2:   A6:   A7:   A8:   A9:   A10:   • Group  the  resources  in  regard  to  transport   sensiCvity  using  web-­‐resource-­‐collec+on   • Use  user-­‐data-­‐constraint  as  widely  as  you  need  for   data  integrity  and  encrypCon  needs   • Ensure  that  login/logout  pages  (in  case  of  form   auth-­‐type)  are  protected  by  <transport-­‐ guarantee>CONFIDENTIAL</transport-­‐guarantee>   • Secure  cookies  transmission
  • 37. A1:   A3:   A4:   A5:   GlassFish A2:   A6:   A7:   A8:   A9:   A10:   • Protect  the  keystore   • Protect  GlassFish  accounts   – Use  aliasing  to  protect  the  password  and  keep  the   master  password  safe  to  protect  the  aliases   • Use  digest  authenCcaCon/hashed  password   storage
  • 38. A1:   A3:   A4:   A5:   GlassFish A2:   A6:   A7:   A8:   A9:   A10:   • Install  the  right  server  cerCficates  to  be  used   by  SSL  listeners   • Properly  configure  HTTPS  listener/s  (set  the   right  keystore)   • Properly  configure  the  ORB  over  SSL  listeners  if   needed  (set  the  right  keystore)   • Enable  audiCng  under  Security  and  access  log   under  HTTP  Service
  • 39. A7  -­‐  Missing  func7onal  access  control
  • 40. A1:   • PresentaCon  layer  access  control  is  not   enough!   • Not  using  “Deny  All”  by  default   • Related  to  A4  –  Insecure  Direct  Object   References A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:  
  • 41. A1:   A3:   A4:   A5:   Worst Practice A2:   A6:   A7:   A8:   A9:   A10:   • Using  home-­‐grown  security  features  instead  of   container  provided  ones   • Assuming  people  wont  know  some  URLs  to  try   them   • Assuming  no  one  would  misuse  the  extra   permission  and  access  they  have
  • 42. A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   • What  you  do  to  prevent,  A4  plus:   – Use  Container  security  (security-­‐constraint)   – Use  programmaCc  login  of  Java  EE  6  if  needed.   – Properly  configure  security  realms   – Accurately  map  roles  to  principal/groups  (auth-­‐ constraint  /  security-­‐role-­‐mapping)   – Only  allow  supported/required  HTTP  methods   – Accurately  Categorize  the  URL  paGerns  and  permit   the  relevant  roles  for  each
  • 43. A1:   A3:   A4:   A5:   Best Practices A2:   A6:   A7:   A8:   A9:   A10:   • Any  non-­‐public  URL  should  be  protected   • Use  container  authenCcaCon/authorizaCon   features  or  extend  on  top  of  them   • If  not  enough  use  proven  frameworks/   products  to  protect  the  resources   • If  user  can  get  /getpic?id=1x118uf  it  does  not   mean  you  should  show  /getpic?id=1x22ug
  • 44. A8  -­‐  Cross  Site  Request  Forgery  (CSRF)
  • 45. A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • Basically  a  capture-­‐replay  aGack   • Malicious  code  executes  funcCons  on  your   behalf  while  being  authenCcated   • Deep  links  make  this  easier   ! • JavaEE  6  affected:   – UI  technology  of  choice  
  • 46. A1:   A3:   A4:   A5:   How to spot it A2:   A6:   A7:   A8:   A9:   A10:   • Predictable  URLs  (for  logged-­‐in)  users   • No  random  secret  tokens  processing  (CSRF   Token)   • No  double  check  on  different  stages  of  a  mulC-­‐ step  operaCon
  • 47. A1:   A3:   A4:   A5:   A6:   A7:   A8:   A9:   Best Practices A2:   A10:   • Add  Unpredictability  (tokens)   – Hidden  Field,  Single-­‐Use  URLs   – Request  or  Session  Scope   • CSRFPrevenConForm  (JSF  1.2  &  2)
 hGp://blog.eisele.net/2011/02/prevenCng-­‐csrf-­‐with-­‐jsf-­‐20.html   • Use  OWASP  ESAPI
 hGp://www.jtmelton.com/2010/05/16/the-­‐owasp-­‐top-­‐ten-­‐and-­‐esapi-­‐part-­‐6-­‐cross-­‐ site-­‐request-­‐forgery-­‐csrf/
  • 48. A9  -­‐  Using  Components  with  Known  Vulnerabili7es
  • 49. A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   – Using  commercial  off  the  shelve  components  and   frameworks   – Hard  to  track  list  of  vulnerabiliCes   – Hard  to  track  fix  versions   –  Late  or  someCmes  no  news  about  the  flaws  
  • 50. A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   – Using  non  well  stablished  frameworks  and   components,  specially  in  security  services.   – Do  not  following  the  release  train  and  list  of  changes,   or  announcements  mailing  lists,  etc.   – Ignoring  security  fixes  because  of  update  expense   – Staying  with  dead  project  because  of  replacing   refactoring  costs
  • 51. A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   – Stay  with  ApplicaCon  server  cerCfied  components,  e.g   OS,  frameworks,  libraries,  external  services,  etc  as   long  as  possible   – If  staying  with  same  major  or  dot  release,  ensure   applying  all  patches,  specially  security  fixes.   – Only  use  well  known  and  established  frameworks  with   proven  records  
  • 52. A10  -­‐  Unvalidate  Redirects  and  Forwards
  • 53. A1:   A3:   A4:   A5:   What is it? A2:   A6:   A7:   A8:   A9:   A10:   • Redirec7ng  to  another  URL  computed  by  user   provided  parameters   • Forward  to  another  URL  computed  by  user   provided  parameters http://www.java.net/external?url=http://www.adam-bien.com/ roller/abien/entry/ conveniently_transactionally_and_legally_starting
  • 54. A1:   A3:   A4:   A5:   Worst Practices A2:   A6:   A7:   A8:   A9:   A10:   • Not  to  validate/verify  the  target  with  user’s   access  level  before  doing  the  forward   • Not  using  a  proper  access  control  mechanism   (e.g  container  managed  and  proper  security-­‐ constraint  )   • RedirecCng  to  a  user  provided  parameter,  e.g   to  an  external  website
  • 55. A1:   A3:   A4:   A5:   Java EE 6 A2:   A6:   A7:   A8:   A9:   A10:   • Don’t  use  redirect  or  forward  as  much  as  possible   • Accurately  verify/validate  the  target  URL  before   forwarding  or  redirecCng   • Redirects  are  safe  when  using  container  managed   authenCcaCon/authorizaCon  properly   • Forwards  happen  without  authenCcaCon  and  thus   requires  triple  check  to  prevent  unauthorized   access.
  • 57. Security isn‘t all candy.. …  but  you  will  love  it  in  the  end!
  • 58. CC picture reference • • • • • • • • • • •   hGp://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ hGp://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ hGp://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ hGp://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ hGp://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ hGp://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ hGp://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ hGp://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ hGp://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ hGp://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/   hGp://www.flickr.com/photos/zen/4494845/sizes/o/in/photostream/               !