SlideShare uma empresa Scribd logo
1 de 43
Baixar para ler offline
Application
 Security

Myth or Fact?
                  Dave Ferguson

                           @dfgrumpy
                dave@dkferguson.com
                 blog.dkferguson.com
                     www.cfhour.com
Obligatory “About Me” Slide
   Working in field for a long, long time (15+ years)

   Using ColdFusion since version 1.5

   Adobe Community Professional

   Sr. Developer for Nonfat Media

   One of the voices of the <CFHour> ColdFusion
    podcast w/ Scott Stroz ( @boyzoid )
If you have a question
 please ask it anytime
Why should you care about




APPLICATION SECURITY?
(isn’t that the network guy’s problem?)
At its core, Security is about risk
management
Security is fundamentally
about protecting “assets”
Most applications don’t have
enough protection
Any protection in place is
probably insufficient
Security implementation is usually
in place to protect server /
network, not application
Using captcha to protect a form is
not the same as anti-intrusion
Once you understand the
perceived value of your
application, you will better
understand how to protect it
What does it mean to have
 a secured application?
Some stuff for the
“Network Guy”

 Viruses


 Worms


 Network   intrusion

 OS   Compromise
OWASP
Open Web Application Security Project
OWASP Top 10
(as of 2010)

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session
  Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
GAME TIME!
“I use SSL so my application is secure”
MYTH

 SSL encrypts data in transit.
 Entry and exit points are still unprotected.
     Think of a tunnel through a mountain.
     Anyone can enter either side but once
      inside you can only interact with what is in
      the tunnel.
 SSL
   will prevent some things, such as a
 “man in the middle” attack.
“My application is secure because I
      have a login screen”
MYTH
            (for the most part)
 If
   not implemented correctly, then this
  becomes a myth.

 Demo   time…
“I don’t need to worry about security
         because I am using
      (insert framework here)”
MYTH

   Frameworks give structure to code.
   Frameworks make writing secure software
    easier by inherently enforcing certain coding
    best practices.
   Code written in a framework can still have the
    same security holes as non-framework code
   Frameworks can add some complexity which
    requires developers to be more vigilant when
    looking for possible attack vectors.
“Our data access layer is ORM so we
     are safe from sql injection”
MYTH

 Properly implemented ORM does protect
  against injection.
 However, utilizing HQL can expose the
  system to injection.

 Demo   Time…
“We don’t need to worry about security
 because our site has nothing of value“
MYTH
   Value is perceptual.

   The true value of your application is what others deem its
    value is.

   If an intruder believes your application is hiding something
    of value, they may try to find it.

   Your site may only contain trivial data. However, does it
    contain data that could allow an attacker to get into other
    systems?

   Storing any data about a person makes your site a target.
“The Global Script Protection setting in
  the ColdFusion admin is sufficient”
MYTH

 The   keyword there is “sufficient”.

 Relying on script protection to save you is
 a fool’s errand.

 Thesetting will strip out some things but
 should not be treated as a silver bullet.

 Demo    Time…
“Our URL / form variables are encrypted
   so they can’t be tampered with”
MYTH

 If
   a loose encryption is used, the
  encryption could be predicted.
“Thinking like an attacker will help
        protect my system”
FACT

 Keep up to date on current security
 trends.

 Takea step back when writing code and
 evaluate it for possible intrusion.

 Remember   that security is a practice or
 frame of mind, not a “once in a while”
 type thing.
“We are using anti-intrusion software
        so we are just fine”
MYTH
   Anti-intrusion software blocks known intrusion
    patterns.
   They act as a filter to incoming data to stop
    potentially harmful requests from being processed.
   Not 100% effective, as intruders will attempt to
    bypass blocking software.
   Examples:
       ModSecurity
       SecureIIS
       FuseGuard

   Demo time…
Tips for the future:




A Couple of things to always think
about when writing code
If a section is supposed to be
secure, make sure security is
checked on all pages, not just
entry points
Compartmentalize your
application to minimize exposure
if system is compromised
Reduce the attack surface and
remove unused sections or code
Don’t rely on a single security
layer, use “defense in depth” and
employ multiple security layers
Treat all data from a client as
bad until ... Forever.
Don’t leave security for the
other guy to handle
Security by obscurity gives you
a false sense of security
Thank You

  Any
Questions?
                    Dave Ferguson

                              @dfgrumpy
                  dave@dkferguson.com
             http://blog.dkferguson.com
                  http://www.cfhour.com

Mais conteúdo relacionado

Mais procurados

Web Development Security
Web Development SecurityWeb Development Security
Web Development SecurityRafael Monteiro
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Microsoft Österreich
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Threat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningThreat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningPriyanka Aash
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterAlert Logic
 

Mais procurados (20)

Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
 
Web Development Security
Web Development SecurityWeb Development Security
Web Development Security
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...Stefan van der Wiele | Protect users identities and control access to valuabl...
Stefan van der Wiele | Protect users identities and control access to valuabl...
 
Web security
Web securityWeb security
Web security
 
Case - How to protect your website
Case - How to protect your websiteCase - How to protect your website
Case - How to protect your website
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Application security
Application securityApplication security
Application security
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Threat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine LearningThreat Detection using Analytics &amp; Machine Learning
Threat Detection using Analytics &amp; Machine Learning
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 

Destaque

Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Management by exception in cooperative
Management by exception in cooperativeManagement by exception in cooperative
Management by exception in cooperativeEyob Ahmed
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & TestingDeepu S Nath
 

Destaque (11)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
Management by exception in cooperative
Management by exception in cooperativeManagement by exception in cooperative
Management by exception in cooperative
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Management by exception
Management by exceptionManagement by exception
Management by exception
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
MBO and MBE
MBO and MBEMBO and MBE
MBO and MBE
 
Cryptography
CryptographyCryptography
Cryptography
 
Web Security
Web SecurityWeb Security
Web Security
 

Semelhante a Application Security - Myth or Fact Slides

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024Michael Noel
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 dandb-technology
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practicesMichael Pearce
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices Cloudride LTD
 
Ensuring Full Proof Security At Xero
Ensuring Full Proof Security At XeroEnsuring Full Proof Security At Xero
Ensuring Full Proof Security At XeroCraig Walker
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안Johnny Cho
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsArmonDadgar
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingankitmehta21
 

Semelhante a Application Security - Myth or Fact Slides (20)

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Security in the cloud protecting your cloud apps
Security in the cloud   protecting your cloud appsSecurity in the cloud   protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
 
Security overview 2
Security overview 2Security overview 2
Security overview 2
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practices
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices
 
Ensuring Full Proof Security At Xero
Ensuring Full Proof Security At XeroEnsuring Full Proof Security At Xero
Ensuring Full Proof Security At Xero
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and Operators
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 

Último

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Último (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

Application Security - Myth or Fact Slides

  • 1. Application Security Myth or Fact? Dave Ferguson @dfgrumpy dave@dkferguson.com blog.dkferguson.com www.cfhour.com
  • 2. Obligatory “About Me” Slide  Working in field for a long, long time (15+ years)  Using ColdFusion since version 1.5  Adobe Community Professional  Sr. Developer for Nonfat Media  One of the voices of the <CFHour> ColdFusion podcast w/ Scott Stroz ( @boyzoid )
  • 3. If you have a question please ask it anytime
  • 4. Why should you care about APPLICATION SECURITY? (isn’t that the network guy’s problem?)
  • 5. At its core, Security is about risk management
  • 6. Security is fundamentally about protecting “assets”
  • 7. Most applications don’t have enough protection
  • 8. Any protection in place is probably insufficient
  • 9. Security implementation is usually in place to protect server / network, not application
  • 10. Using captcha to protect a form is not the same as anti-intrusion
  • 11. Once you understand the perceived value of your application, you will better understand how to protect it
  • 12. What does it mean to have a secured application?
  • 13. Some stuff for the “Network Guy”  Viruses  Worms  Network intrusion  OS Compromise
  • 14. OWASP Open Web Application Security Project
  • 15. OWASP Top 10 (as of 2010) • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards
  • 17. “I use SSL so my application is secure”
  • 18. MYTH  SSL encrypts data in transit.  Entry and exit points are still unprotected.  Think of a tunnel through a mountain.  Anyone can enter either side but once inside you can only interact with what is in the tunnel.  SSL will prevent some things, such as a “man in the middle” attack.
  • 19. “My application is secure because I have a login screen”
  • 20. MYTH (for the most part)  If not implemented correctly, then this becomes a myth.  Demo time…
  • 21. “I don’t need to worry about security because I am using (insert framework here)”
  • 22. MYTH  Frameworks give structure to code.  Frameworks make writing secure software easier by inherently enforcing certain coding best practices.  Code written in a framework can still have the same security holes as non-framework code  Frameworks can add some complexity which requires developers to be more vigilant when looking for possible attack vectors.
  • 23. “Our data access layer is ORM so we are safe from sql injection”
  • 24. MYTH  Properly implemented ORM does protect against injection.  However, utilizing HQL can expose the system to injection.  Demo Time…
  • 25. “We don’t need to worry about security because our site has nothing of value“
  • 26. MYTH  Value is perceptual.  The true value of your application is what others deem its value is.  If an intruder believes your application is hiding something of value, they may try to find it.  Your site may only contain trivial data. However, does it contain data that could allow an attacker to get into other systems?  Storing any data about a person makes your site a target.
  • 27. “The Global Script Protection setting in the ColdFusion admin is sufficient”
  • 28. MYTH  The keyword there is “sufficient”.  Relying on script protection to save you is a fool’s errand.  Thesetting will strip out some things but should not be treated as a silver bullet.  Demo Time…
  • 29. “Our URL / form variables are encrypted so they can’t be tampered with”
  • 30. MYTH  If a loose encryption is used, the encryption could be predicted.
  • 31. “Thinking like an attacker will help protect my system”
  • 32. FACT  Keep up to date on current security trends.  Takea step back when writing code and evaluate it for possible intrusion.  Remember that security is a practice or frame of mind, not a “once in a while” type thing.
  • 33. “We are using anti-intrusion software so we are just fine”
  • 34. MYTH  Anti-intrusion software blocks known intrusion patterns.  They act as a filter to incoming data to stop potentially harmful requests from being processed.  Not 100% effective, as intruders will attempt to bypass blocking software.  Examples:  ModSecurity  SecureIIS  FuseGuard  Demo time…
  • 35. Tips for the future: A Couple of things to always think about when writing code
  • 36. If a section is supposed to be secure, make sure security is checked on all pages, not just entry points
  • 37. Compartmentalize your application to minimize exposure if system is compromised
  • 38. Reduce the attack surface and remove unused sections or code
  • 39. Don’t rely on a single security layer, use “defense in depth” and employ multiple security layers
  • 40. Treat all data from a client as bad until ... Forever.
  • 41. Don’t leave security for the other guy to handle
  • 42. Security by obscurity gives you a false sense of security
  • 43. Thank You Any Questions? Dave Ferguson @dfgrumpy dave@dkferguson.com http://blog.dkferguson.com http://www.cfhour.com

Notas do Editor

  1. Site notes:http://msdn.microsoft.com/en-us/library/ff648636.aspxhttps://www.owasp.org/index.php/Main_PageSetup:Close all task bar notifiers, chat, tweetdeckCFBuilder: Twister_preso workspaceMake sure font is at 18Select demo app and “go into”Open a cfc and a cfm just to init builder… then close files.Have no code opened.. But have task window availableOpen chrome to demo site http://local.demoapp.com/Open tab to local cfadminOpen firefox to demo site (then hide)
  2. Reducing downtime,
  3. An asset can be anything, database data, files on a server, the server itself.
  4. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
  5. Slide 15 - I think you should point out that the Top 10 gets updated every three years. It was last updated in 2010. Perhaps bringing this up when you take about staying current later int he press would be a good place for it. Open Web Application Security Project (OWASP)
  6. Slide 18 - Many times people forget that SSL is about more than just encrypting data. Using SSL to verify the authenticity of a server&apos;s identity is just as important as encrypting the data. I think it is impotent to point this out. And to point out that self-signed certs are only good for development. Even though they encrypt the data just as well, you lose the server identification that is so important. 
  7. First showing of demp app…. Explain basics of app (FW\\1, ORM, ColdSpring)FIXME: 20 LOGIN1: Login and show admin section.2: Logout and show how you can still get to admin3: Login protected the navigation… not the actual pages.4: Update code to check for login globally to prevent intrusion remove when done as future demo needs exploit available5: Show severity using session hijacking… login using chrome then copy cookies to firefox6: Click on &quot;home&quot; on menu. Login button should turn orange.7: Go to admin screen
  8. Slide 22 - I think it would be accurate to say that frameworks (MVC, IoC, DI etc) do not typically provide any protection on their own, but they make writing secure software easier. The one exception to that would be ORM, which offers some built-in security, but that covers a small fraction of the vulnerabilities that code could contain.
  9. Complicated demo.. Take your time…Make sure that CF console is showing in builder… need to show orm output1: Show search.. Show how using “;” in an injection string doesn’t work as orm hates it.2: inject into search to return all items… %&apos; or 1 = 1 and 1 = &apos;% Show query in console to see how it was built. Show code FIXME24 INJECTION Swap code out for param… should return nothing.. Show query to illustrate param3: using previous session hijack, go to admin in firefox. Go to delete screen and delete an item use url to add “ or 1 = 1” to url to wipe all data. go back to chrome and go to admin edit screen… should also show no recordsFIXME: 24.1INJECTION show how could have been avoided using entityload / delete or param
  10. Slide 28 - I disagree with your assessment that this statement is fact (even kind). I think it should be Myth. What I point out to people is that if their site contains any kind of user data at all (even just email and a password) that it contains data that needs to be protected. Because we all know that 80% of those users are using the same password for your book club site and they are for their web mail. If your site is compromised, so could be many of your users email accounts, bank accounts, etc.  Even if your site is a completely open, read-only system, I doubt that you want your data compromised or want your site DoS&apos;d because of bad programming. If the site is dynamic then it needs to have protections in place, period.
  11. No code to show in this demo1: Use previous session hijack to access admin (alternatively use a non-logged in browser to access admin)2: Show CFAdmin and make sure script protect is off.3: Create new weapon and add code below in name. Use code that would be blocked and create new weapon. search for weapon to show exploit4: enable script protection. Use blocked code first to show how script protect works.5: use unblocked code with protection still on to create weapon. load search screen to show it still made it though.6: disable script protect in admin at end.blocked&lt;script&gt;alert(&apos;congrats! you are a victom of XSS&apos;)&quot;&gt;&lt;/script&gt;not blocked&lt;body onload=&quot;alert(&apos;congrats! you are a victom of XSS&apos;)&quot;&gt;&lt;/body&gt;
  12. Now the demo fun begins.Without changing anything… First open up app cfc to enable fuseguard. FIXME34 FuseGuard1: got to home screen in chrome. Attempt to load home screen in FF… fuseguard should block request as a session hijack.2: on chrome with screen still at admin try same sql delete inject… should get blocked3: try directory traversal “../../” Should get blocked.4: Show XXS block when creating weapon Show both previously blocked and unblocked to show FG blocking both.4: Open FG manager and show intrusion blocks
  13. Use multiple gatekeepers to keep attackers at bay. Defense in depth means you do not rely on a single layer of security, or you consider that one of your layers may be bypassed or compromised.
  14. Your application&apos;s user input is the attacker&apos;s primary weapon when targeting your application. Assume all input is malicious until proven otherwise, and apply a defense in depth strategy to input validation, taking particular precautions to make sure that input is validated whenever a trust boundary in your application is crossed.Slide 40 - Treat data from the client as bad, always. I think saying &quot;until proven otherwise&quot; might encourage people to think that if they &quot;sanitize&quot; input that they can then go without properly encoding output. I don&apos;t think there is any point at which it is OK to stop treating user provided data as untrusted.Use previous XXS exploit as example. Bad data might have been added prior to protection being enabled.
  15. Site notes:http://msdn.microsoft.com/en-us/library/ff648636.aspxhttps://www.owasp.org/index.php/Main_Page