SlideShare uma empresa Scribd logo

The net is dark and full of terrors - James Bennett

L
Leo Zhou

Django Con Euro 2015

Tecnologia
1 de 65
Baixar para ler offline
T H E N E T I S D A R K A N D F U L L O F T E R R O R S J A M E S B E N N E T T · D J A N G O C O N E U R O P E · 3 R D J U N E 2 0 1 5
W H O I A M Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django’s release and security process ~8 years
W H AT T H I S I S History of Django and security How Django tries to protect you Some ways we’ve screwed up and what you can learn from that
S E C U R I T Y I S H A R D
I N T H E B E G I N N I N G …
D J A N G O ’ S F I R S T V U L N E R A B I L I T Y 1 6 T H A U G U S T 2 0 0 6 C V E - 2 0 0 7 - 0 4 0 4
N I N E Y E A R S A N D 4 8 M O R E S E C U R I T Y I S S U E S L AT E R …
D J A N G O ’ S L AT E S T V U L N E R A B I L I T Y 2 0 T H M A Y 2 0 1 5 C V E - 2 0 1 5 - 3 9 8 2
Security issues are archived in the documentation: https://docs.djangoproject.com/en/dev/ releases/security/
2 0 0 7 · P R E - 1 . 0 I N F O R M A L S E C U R I T Y P R O C E S S 2 0 0 8 · D J A N G O 1 . 0 T E M P L AT E A U T O E S C A P I N G 2 0 1 0 · D J A N G O 1 . 2 M O D E R N C S R F P R O T E C T I O N 2 0 1 2 · D J A N G O 1 . 4 H A S H I N G , C RY P T O , S I G N E D C O O K I E S , C L I C K J A C K I N G , S E N S I T I V E E R R O R S , F O R M A L S E C U R I T Y P R O C E S S
2 0 1 3 · D J A N G O 1 . 5 · D J A N G O 1 . 6 H O S T H E A D E R H A R D E N I N G , I N C R E A S E D H A S H I T E R AT I O N S , H A S H T R U N C AT I O N 2 0 1 4 · D J A N G O 1 . 7 S Y S T E M C H E C K F R A M E W O R K 2 0 1 5 · D J A N G O 1 . 8 S E C U R I T Y M I D D L E WA R E , D E P L O Y M E N T C H E C K
D J A N G O ’ S S E C U R I T Y P R O C E S S
TL;DR: email security@djangoproject.com if you think you’ve found a security issue in Django. Full security policy always accessible at https://www.djangoproject.com/security/
S E C U R I T Y I S S U E V E R I F I C AT I O N Try out a proof-of-concept, if provided Coordinate with reporter for more info if needed Once verified, begin tracking issue (privately)
S E C U R I T Y PAT C H I N G P R O C E S S Patches submitted in private tracker (only core team has access) Reviewed and, if needed, ported to multiple versions of Django
S E C U R I T Y N O T I F I C AT I O N P R O C E S S Request a CVE identifier for the issue One week prior to release, send to our security notification list Pre-notification can be abbreviated for issues already public/exploited
S E C U R I T Y R E L E A S E P R O C E S S Patches merged from private security branches to public GitHub repository Releases issued with blog post containing details of issue(s) and CVE identifier(s) Spam ALL the social media sites!
The goals of our process are to ensure responsible reporting and disclosure of security issues.
D J A N G O V S . T H E O WA S P T O P T E N
https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project
Injection attacks ✅ Authentication and session management ✅ Cross-site scripting (XSS) ✅ Direct object references ✅ Misconfiguration ✅
Sensitive data exposure ✅ Function level access control ✅ Cross-site request forgery (CSRF) ✅ Components with known vulnerabilities ✅ Unvalidated redirects and forwards ✅
A B O V E A N D B E Y O N D
Django tries very hard to be secure-by-default, and to offer the tools you need to harden your applications beyond the common cases.
However…
W H Y D O W E FA L L ?
W H Y D O W E FA L L ?
W H Y D O W E FA I L ?
– T H E D J A N G O T E A M , C I R C A 2 0 0 7 “Parsing the Accept-Language header is expensive to do every time, let’s do it once per unique value and cache the results!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Let’s use a one-time base36 token to do password resets!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Formsets need to dynamically grow the number of forms they use!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Restrictions on password length are dumb! Long passwords are better!”
CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
P Y T H O N I S G R E AT No buffer overflows But you can still DoS yourself if you’re not careful We learned this the hard way so you shouldn’t have to
S T O P D O S ’ I N G Y O U R S E L F Sanity-check your inputs for length before you start processing them Yes, even passwords (when appropriate)! Configure your web server to cap the length of HTTP headers and request bodies
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should really check whether the URL exists before accepting the value!”
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should accept anything that matches the format of a valid URL!”
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “EmailField should accept anything that matches the format of a valid email address!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Checking for corrupt image files is easy, we can just use PIL’s routines for that!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Most image formats store metadata in a header, let’s find it by only reading a few bytes at a time!”
CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
T H E B I G O Expresses upper bound on your algorithm Also, apparently, an anime But more important is the “upper bound” bit
– A C T U A L LY A V E RY U S E F U L Q U E S T I O N “What’s the worst that could happen?”
N O R E A L LY, S T O P D O S ’ I N G Y O U R S E L F ! Figure out how much work your code should do Then figure out whether you can make it do more Then figure out ways to ensure it does less Some issues (compressed formats, incremental reads, pathological regex, etc.) have been around forever — read up on them!
(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(? =[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)? [ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?: (?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)? [ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?: (?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:r n)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*(?:(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+ (?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:. (?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?: rn)?[ t])*))*)?;s*)
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Values of cookies we’ve set can be trusted!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Admin users can be trusted with a bit of the lookup API!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 1 “We can trust the browser same-origin sandbox!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “We can trust admin users with the history log!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Once we’ve validated a value and stored it, we can trust it!”
CVE-2010-3082 XSS via trusting unsafe cookie value CVE-2010-4534 Information leakage in administrative interface CVE-2011-0696 CSRF via forged HTTP headers CVE-2013-0305 Information leakage via admin history log NO CVE, DISCLOSED 2013-08-13 XSS via admin trusting URLField values
– T H E D J A N G O T E A M , O V E R A N D O V E R A G A I N … “We can trust the HTTP Host header now!”
CVE-2011-4139 Host header cache poisoning CVE-2011-4140 Potential CSRF via Host header CVE-2012-4520 Host header poisoning ADVISORY, 2012-12-10 Additional hardening of Host header handling ADVISORY, 2013-02-19 Additional hardening of Host header handling
“I did warn you not to trust me.”
T H E R E I S N O S U C H T H I N G A S “ S E C U R E ”
W H Y D O W E FA L L ?
❓
Q U O T E S / I M A G E S http://www.marriedtothesea.com/index.php?date=012710 http://en.wikipedia.org/wiki/File:Selfmade_Big_O.png http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html http://highlighthollywood.com/2015/02/game-of-thrones-actor-aidan- gillen-lord-petyr-baelish-talks-season-5-sansa-and-little-finger- highlight-hollywood-news/ http://x-files.wikia.com/wiki/File:Trust_No_One_tagline.jpg http://www.slideshare.net/ChristofHammel/process-iceberg-21703547

Recomendados

Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwyesumanitvr
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret ZoneReality Net System Solutions
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...Yandex
 
DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC Men and Mice
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Ricardo Fanjul Fandiño
 
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendsoFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendJune Park
 
Adaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationAdaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationYunyao Li
 

Recomendados

Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwyesumanitvr
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible InterferenceJulie Tsai
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret ZoneReality Net System Solutions
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...Yandex
 
DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC Men and Mice
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Ricardo Fanjul Fandiño
 
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendsoFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendJune Park
 
Adaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationAdaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationYunyao Li
 
Nra Background Checks
Nra Background ChecksNra Background Checks
Nra Background Checkseminentsilhouet88
 
Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber FraudNataliya Frolova
 
Pradeep CV
Pradeep CVPradeep CV
Pradeep CVPradeep Kumar
 
Presentacion
Presentacion Presentacion
Presentacion manuelsuarez14769
 
Capacitacion docente laptop xo
Capacitacion docente laptop xoCapacitacion docente laptop xo
Capacitacion docente laptop xoBecker Morales Collao
 
Barcode
BarcodeBarcode
Barcodepaisan1
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015Chantae Lessard
 
Carátula
CarátulaCarátula
CarátulaAgustín Fernandez
 
Estudios de gabinete
Estudios de gabineteEstudios de gabinete
Estudios de gabinetegerman9571
 
Maxillary permanent incisors
Maxillary permanent incisorsMaxillary permanent incisors
Maxillary permanent incisorsMO'men AbuDaif
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCYi-Hsueh Tsai
 
Cocoa
CocoaCocoa
CocoaBelencitha Leon
 
Message de solidarité de l'UIA
Message de solidarité de l'UIAMessage de solidarité de l'UIA
Message de solidarité de l'UIAJLMB
 
Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at ScaleDavid Simons
 
Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Scott Sosna
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldUniversity of Hertfordshire
 
Meteor WWNRW Intro
Meteor WWNRW IntroMeteor WWNRW Intro
Meteor WWNRW IntroStephan Hochhaus
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutesDavid Simons
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileDoc Norton
 
Choosing the right database
Choosing the right databaseChoosing the right database
Choosing the right databaseDavid Simons
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Amazon Web Services
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningAbhishek Sharma
 

Mais conteúdo relacionado

Destaque

Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber FraudNataliya Frolova
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015Chantae Lessard
 
Estudios de gabinete
Estudios de gabineteEstudios de gabinete
Estudios de gabinetegerman9571
 
Maxillary permanent incisors
Maxillary permanent incisorsMaxillary permanent incisors
Maxillary permanent incisorsMO'men AbuDaif
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCYi-Hsueh Tsai
 
Message de solidarité de l'UIA
Message de solidarité de l'UIAMessage de solidarité de l'UIA
Message de solidarité de l'UIAJLMB
 

Destaque (13)

Nra Background Checks
Nra Background ChecksNra Background Checks
Nra Background Checks
 
Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber Fraud
 
Pradeep CV
Pradeep CVPradeep CV
Pradeep CV
 
Presentacion
Presentacion Presentacion
Presentacion
 
Capacitacion docente laptop xo
Capacitacion docente laptop xoCapacitacion docente laptop xo
Capacitacion docente laptop xo
 
Barcode
BarcodeBarcode
Barcode
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015
 
Carátula
CarátulaCarátula
Carátula
 
Estudios de gabinete
Estudios de gabineteEstudios de gabinete
Estudios de gabinete
 
Maxillary permanent incisors
Maxillary permanent incisorsMaxillary permanent incisors
Maxillary permanent incisors
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
 
Cocoa
CocoaCocoa
Cocoa
 
Message de solidarité de l'UIA
Message de solidarité de l'UIAMessage de solidarité de l'UIA
Message de solidarité de l'UIA
 

Semelhante a The net is dark and full of terrors - James Bennett

Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at ScaleDavid Simons
 
Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Scott Sosna
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutesDavid Simons
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileDoc Norton
 
Choosing the right database
Choosing the right databaseChoosing the right database
Choosing the right databaseDavid Simons
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Amazon Web Services
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningAbhishek Sharma
 
Reducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as SurfaceReducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as SurfaceJeffrey Hulten
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitGreta Strolyte
 
Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications Amazon Web Services
 
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018Codemotion
 
Pro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are DeadPro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are DeadDaniel Ayala
 
Choosing the Right Database
Choosing the Right DatabaseChoosing the Right Database
Choosing the Right DatabaseDavid Simons
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress DevelopersDavid Brumbaugh
 
Mock proposal for digitisation project
Mock proposal for digitisation projectMock proposal for digitisation project
Mock proposal for digitisation projectGiada Gelli
 
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS SummitGain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS SummitAmazon Web Services
 

Semelhante a The net is dark and full of terrors - James Bennett (20)

Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at Scale
 
Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Meteor WWNRW Intro
Meteor WWNRW IntroMeteor WWNRW Intro
Meteor WWNRW Intro
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutes
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to Agile
 
Choosing the right database
Choosing the right databaseChoosing the right database
Choosing the right database
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
Reducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as SurfaceReducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as Surface
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
 
Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications
 
eHarmony @ Phoenix Con 2016
eHarmony @ Phoenix Con 2016eHarmony @ Phoenix Con 2016
eHarmony @ Phoenix Con 2016
 
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
 
Pro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are DeadPro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are Dead
 
Choosing the Right Database
Choosing the Right DatabaseChoosing the Right Database
Choosing the Right Database
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Mock proposal for digitisation project
Mock proposal for digitisation projectMock proposal for digitisation project
Mock proposal for digitisation project
 
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS SummitGain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
 

Mais de Leo Zhou

第三名 3rd zhyict
第三名 3rd zhyict第三名 3rd zhyict
第三名 3rd zhyictLeo Zhou
 
异常检测在苏宁的实践
异常检测在苏宁的实践异常检测在苏宁的实践
异常检测在苏宁的实践Leo Zhou
 
第二名 2nd 火眼金睛
第二名 2nd 火眼金睛第二名 2nd 火眼金睛
第二名 2nd 火眼金睛Leo Zhou
 
第四名 4th H3C AI Institute
第四名 4th H3C AI Institute第四名 4th H3C AI Institute
第四名 4th H3C AI InstituteLeo Zhou
 
第一名 1st Bocoiops
第一名 1st Bocoiops第一名 1st Bocoiops
第一名 1st BocoiopsLeo Zhou
 
第六名 6th Aurora
第六名 6th Aurora第六名 6th Aurora
第六名 6th AuroraLeo Zhou
 
AI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving NetworkAI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving NetworkLeo Zhou
 
2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用Leo Zhou
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildwebLeo Zhou
 
1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑Leo Zhou
 
1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用Leo Zhou
 
Protocol libraries the right way
Protocol libraries the right wayProtocol libraries the right way
Protocol libraries the right wayLeo Zhou
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍Leo Zhou
 
特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践Leo Zhou
 
我的互联网运维理论与实践
我的互联网运维理论与实践我的互联网运维理论与实践
我的互联网运维理论与实践Leo Zhou
 
如何选择 Docker 监控方案
如何选择 Docker 监控方案如何选择 Docker 监控方案
如何选择 Docker 监控方案Leo Zhou
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍Leo Zhou
 
Hypothesis randomised testing for django
Hypothesis randomised testing for djangoHypothesis randomised testing for django
Hypothesis randomised testing for djangoLeo Zhou
 
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享Leo Zhou
 
动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法Leo Zhou
 

Mais de Leo Zhou (20)

第三名 3rd zhyict
第三名 3rd zhyict第三名 3rd zhyict
第三名 3rd zhyict
 
异常检测在苏宁的实践
异常检测在苏宁的实践异常检测在苏宁的实践
异常检测在苏宁的实践
 
第二名 2nd 火眼金睛
第二名 2nd 火眼金睛第二名 2nd 火眼金睛
第二名 2nd 火眼金睛
 
第四名 4th H3C AI Institute
第四名 4th H3C AI Institute第四名 4th H3C AI Institute
第四名 4th H3C AI Institute
 
第一名 1st Bocoiops
第一名 1st Bocoiops第一名 1st Bocoiops
第一名 1st Bocoiops
 
第六名 6th Aurora
第六名 6th Aurora第六名 6th Aurora
第六名 6th Aurora
 
AI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving NetworkAI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving Network
 
2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
 
1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑
 
1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用
 
Protocol libraries the right way
Protocol libraries the right wayProtocol libraries the right way
Protocol libraries the right way
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍
 
特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践
 
我的互联网运维理论与实践
我的互联网运维理论与实践我的互联网运维理论与实践
我的互联网运维理论与实践
 
如何选择 Docker 监控方案
如何选择 Docker 监控方案如何选择 Docker 监控方案
如何选择 Docker 监控方案
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍
 
Hypothesis randomised testing for django
Hypothesis randomised testing for djangoHypothesis randomised testing for django
Hypothesis randomised testing for django
 
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
 
动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Último (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

The net is dark and full of terrors - James Bennett

  • 1. T H E N E T I S D A R K A N D F U L L O F T E R R O R S J A M E S B E N N E T T · D J A N G O C O N E U R O P E · 3 R D J U N E 2 0 1 5
  • 2. W H O I A M Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django’s release and security process ~8 years
  • 3. W H AT T H I S I S History of Django and security How Django tries to protect you Some ways we’ve screwed up and what you can learn from that
  • 4. S E C U R I T Y I S H A R D
  • 5. I N T H E B E G I N N I N G …
  • 6. D J A N G O ’ S F I R S T V U L N E R A B I L I T Y 1 6 T H A U G U S T 2 0 0 6 C V E - 2 0 0 7 - 0 4 0 4
  • 7. N I N E Y E A R S A N D 4 8 M O R E S E C U R I T Y I S S U E S L AT E R …
  • 8. D J A N G O ’ S L AT E S T V U L N E R A B I L I T Y 2 0 T H M A Y 2 0 1 5 C V E - 2 0 1 5 - 3 9 8 2
  • 9. Security issues are archived in the documentation: https://docs.djangoproject.com/en/dev/ releases/security/
  • 10. 2 0 0 7 · P R E - 1 . 0 I N F O R M A L S E C U R I T Y P R O C E S S 2 0 0 8 · D J A N G O 1 . 0 T E M P L AT E A U T O E S C A P I N G 2 0 1 0 · D J A N G O 1 . 2 M O D E R N C S R F P R O T E C T I O N 2 0 1 2 · D J A N G O 1 . 4 H A S H I N G , C RY P T O , S I G N E D C O O K I E S , C L I C K J A C K I N G , S E N S I T I V E E R R O R S , F O R M A L S E C U R I T Y P R O C E S S
  • 11. 2 0 1 3 · D J A N G O 1 . 5 · D J A N G O 1 . 6 H O S T H E A D E R H A R D E N I N G , I N C R E A S E D H A S H I T E R AT I O N S , H A S H T R U N C AT I O N 2 0 1 4 · D J A N G O 1 . 7 S Y S T E M C H E C K F R A M E W O R K 2 0 1 5 · D J A N G O 1 . 8 S E C U R I T Y M I D D L E WA R E , D E P L O Y M E N T C H E C K
  • 12. D J A N G O ’ S S E C U R I T Y P R O C E S S
  • 13. TL;DR: email security@djangoproject.com if you think you’ve found a security issue in Django. Full security policy always accessible at https://www.djangoproject.com/security/
  • 14. S E C U R I T Y I S S U E V E R I F I C AT I O N Try out a proof-of-concept, if provided Coordinate with reporter for more info if needed Once verified, begin tracking issue (privately)
  • 15. S E C U R I T Y PAT C H I N G P R O C E S S Patches submitted in private tracker (only core team has access) Reviewed and, if needed, ported to multiple versions of Django
  • 16. S E C U R I T Y N O T I F I C AT I O N P R O C E S S Request a CVE identifier for the issue One week prior to release, send to our security notification list Pre-notification can be abbreviated for issues already public/exploited
  • 17. S E C U R I T Y R E L E A S E P R O C E S S Patches merged from private security branches to public GitHub repository Releases issued with blog post containing details of issue(s) and CVE identifier(s) Spam ALL the social media sites!
  • 18. The goals of our process are to ensure responsible reporting and disclosure of security issues.
  • 19. D J A N G O V S . T H E O WA S P T O P T E N
  • 21. Injection attacks ✅ Authentication and session management ✅ Cross-site scripting (XSS) ✅ Direct object references ✅ Misconfiguration ✅
  • 22. Sensitive data exposure ✅ Function level access control ✅ Cross-site request forgery (CSRF) ✅ Components with known vulnerabilities ✅ Unvalidated redirects and forwards ✅
  • 23. A B O V E A N D B E Y O N D
  • 24. Django tries very hard to be secure-by-default, and to offer the tools you need to harden your applications beyond the common cases.
  • 26.
  • 27. W H Y D O W E FA L L ?
  • 28. W H Y D O W E FA L L ?
  • 29. W H Y D O W E FA I L ?
  • 30. – T H E D J A N G O T E A M , C I R C A 2 0 0 7 “Parsing the Accept-Language header is expensive to do every time, let’s do it once per unique value and cache the results!”
  • 31. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Let’s use a one-time base36 token to do password resets!”
  • 32. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Formsets need to dynamically grow the number of forms they use!”
  • 33. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Restrictions on password length are dumb! Long passwords are better!”
  • 34. CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
  • 35.
  • 36. CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
  • 37. P Y T H O N I S G R E AT No buffer overflows But you can still DoS yourself if you’re not careful We learned this the hard way so you shouldn’t have to
  • 38. S T O P D O S ’ I N G Y O U R S E L F Sanity-check your inputs for length before you start processing them Yes, even passwords (when appropriate)! Configure your web server to cap the length of HTTP headers and request bodies
  • 39. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should really check whether the URL exists before accepting the value!”
  • 40. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should accept anything that matches the format of a valid URL!”
  • 41. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “EmailField should accept anything that matches the format of a valid email address!”
  • 42. – T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Checking for corrupt image files is easy, we can just use PIL’s routines for that!”
  • 43. – T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Most image formats store metadata in a header, let’s find it by only reading a few bytes at a time!”
  • 44. CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
  • 45.
  • 46. CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
  • 47. T H E B I G O Expresses upper bound on your algorithm Also, apparently, an anime But more important is the “upper bound” bit
  • 48. – A C T U A L LY A V E RY U S E F U L Q U E S T I O N “What’s the worst that could happen?”
  • 49. N O R E A L LY, S T O P D O S ’ I N G Y O U R S E L F ! Figure out how much work your code should do Then figure out whether you can make it do more Then figure out ways to ensure it does less Some issues (compressed formats, incremental reads, pathological regex, etc.) have been around forever — read up on them!
  • 50. (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(? =[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)? [ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?: (?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)? [ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?: (?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:r n)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*(?:(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+ (?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:. (?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?: rn)?[ t])*))*)?;s*)
  • 51. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Values of cookies we’ve set can be trusted!”
  • 52. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Admin users can be trusted with a bit of the lookup API!”
  • 53. – T H E D J A N G O T E A M , C I R C A 2 0 1 1 “We can trust the browser same-origin sandbox!”
  • 54. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “We can trust admin users with the history log!”
  • 55. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Once we’ve validated a value and stored it, we can trust it!”
  • 56. CVE-2010-3082 XSS via trusting unsafe cookie value CVE-2010-4534 Information leakage in administrative interface CVE-2011-0696 CSRF via forged HTTP headers CVE-2013-0305 Information leakage via admin history log NO CVE, DISCLOSED 2013-08-13 XSS via admin trusting URLField values
  • 57. – T H E D J A N G O T E A M , O V E R A N D O V E R A G A I N … “We can trust the HTTP Host header now!”
  • 58. CVE-2011-4139 Host header cache poisoning CVE-2011-4140 Potential CSRF via Host header CVE-2012-4520 Host header poisoning ADVISORY, 2012-12-10 Additional hardening of Host header handling ADVISORY, 2013-02-19 Additional hardening of Host header handling
  • 59. “I did warn you not to trust me.”
  • 60.
  • 61. T H E R E I S N O S U C H T H I N G A S “ S E C U R E ”
  • 62. W H Y D O W E FA L L ?
  • 63.
  • 64.
  • 65. Q U O T E S / I M A G E S http://www.marriedtothesea.com/index.php?date=012710 http://en.wikipedia.org/wiki/File:Selfmade_Big_O.png http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html http://highlighthollywood.com/2015/02/game-of-thrones-actor-aidan- gillen-lord-petyr-baelish-talks-season-5-sansa-and-little-finger- highlight-hollywood-news/ http://x-files.wikia.com/wiki/File:Trust_No_One_tagline.jpg http://www.slideshare.net/ChristofHammel/process-iceberg-21703547